# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 29.07.2020 21:20:29.861 Process: id = "1" image_name = "dmyurb.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe" page_root = "0x36f7a000" os_pid = "0xb04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa28 [0048.052] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0048.053] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0048.053] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleW") returned 0x76d434b0 [0048.053] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="MoveFileW") returned 0x76d59af0 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSizeEx") returned 0x76d459e2 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileAttributesW") returned 0x76d41b18 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameA") returned 0x76d5b6e0 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenW") returned 0x76d41700 [0048.054] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcess") returned 0x76d41809 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="GetLogicalDrives") returned 0x76d45371 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76d41916 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0048.055] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="OpenMutexW") returned 0x76d45151 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiW") returned 0x76d5d5cd [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpiA") returned 0x76d43e8e [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseMutex") returned 0x76d4111e [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersion") returned 0x76d44467 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="ExpandEnvironmentStringsW") returned 0x76d44173 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceCounter") returned 0x76d41725 [0048.056] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceFrequency") returned 0x76d441f0 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileAttributesW") returned 0x76d5d4f7 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="GetVolumeInformationW") returned 0x76d5c860 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0048.057] GetProcAddress (hModule=0x76d30000, lpProcName="SetEndOfFile") returned 0x76d5ce2e [0048.058] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileW") returned 0x76d44435 [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="HeapReAlloc") returned 0x77c81f6e [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="CreatePipe") returned 0x76dc415b [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="SetHandleInformation") returned 0x76d5195c [0048.063] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0048.064] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringW") returned 0x76d43bca [0048.064] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0048.064] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTime") returned 0x76d45a96 [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="SystemTimeToFileTime") returned 0x76d45a7e [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="CreateToolhelp32Snapshot") returned 0x76d6735f [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="Process32NextW") returned 0x76d6896c [0048.065] GetProcAddress (hModule=0x76d30000, lpProcName="Process32FirstW") returned 0x76d68baf [0048.065] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0051.936] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExW") returned 0x7772468d [0051.936] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExW") returned 0x777246ad [0051.936] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="OpenSCManagerW") returned 0x7771ca64 [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="OpenServiceW") returned 0x7771ca4c [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="QueryServiceStatus") returned 0x77722a86 [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="EnumDependentServicesW") returned 0x77711e3a [0051.937] GetProcAddress (hModule=0x77710000, lpProcName="EnumServicesStatusExW") returned 0x7771b466 [0051.937] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0056.036] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0056.036] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x759d0000 [0059.998] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0059.998] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0059.999] GetProcAddress (hModule=0x77c40000, lpProcName="NtQuerySystemInformation") returned 0x77c5fda0 [0059.999] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x75660000 [0060.418] GetProcAddress (hModule=0x75660000, lpProcName="WNetCloseEnum") returned 0x75662dd6 [0060.418] GetProcAddress (hModule=0x75660000, lpProcName="WNetOpenEnumW") returned 0x75662f06 [0060.418] GetProcAddress (hModule=0x75660000, lpProcName="WNetEnumResourceW") returned 0x75663058 [0060.418] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77230000 [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="WSAStartup") returned 0x77233ab2 [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="socket") returned 0x77233eb8 [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="send") returned 0x77236f01 [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="recv") returned 0x77236b0e [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="connect") returned 0x77236bdd [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="closesocket") returned 0x77233918 [0060.980] GetProcAddress (hModule=0x77230000, lpProcName="gethostbyname") returned 0x77247673 [0060.981] GetProcAddress (hModule=0x77230000, lpProcName="inet_addr") returned 0x7723311b [0060.981] GetProcAddress (hModule=0x77230000, lpProcName="ntohl") returned 0x77232d57 [0060.981] GetProcAddress (hModule=0x77230000, lpProcName="htonl") returned 0x77232d57 [0060.981] GetProcAddress (hModule=0x77230000, lpProcName="htons") returned 0x77232d8b [0060.981] GetProcessHeap () returned 0x240000 [0060.981] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x20) returned 0x2540c8 [0060.981] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=18133549138) returned 1 [0060.981] GetTickCount () returned 0x1147f3e [0060.981] GetCurrentProcessId () returned 0xb04 [0060.982] GetTickCount () returned 0x1147f3e [0060.982] GetTickCount () returned 0x1147f3e [0060.983] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x20) returned 0x2540f0 [0060.983] GetVersion () returned 0x1db10106 [0060.983] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x7) returned 0x2436b0 [0060.983] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x250bd0 [0060.983] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x250bd0, Size=0x20) returned 0x254140 [0060.983] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254140, Size=0x40) returned 0x2546b0 [0060.983] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x254900 [0060.983] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0V61B2A") returned 0x0 [0060.984] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0V61B2A") returned 0x84 [0060.984] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2436b0 | out: hHeap=0x240000) returned 1 [0060.984] lstrlenW (lpString="Global\\syncronize_") returned 18 [0060.984] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546b0 | out: hHeap=0x240000) returned 1 [0060.984] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x7) returned 0x2436b0 [0060.984] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x250bd0 [0060.984] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x250bd0, Size=0x20) returned 0x254140 [0060.984] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254140, Size=0x40) returned 0x2546b0 [0060.984] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x264908 [0060.984] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_0V61B2U") returned 0x0 [0060.985] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_0V61B2U") returned 0x88 [0060.985] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2436b0 | out: hHeap=0x240000) returned 1 [0060.985] lstrlenW (lpString="Global\\syncronize_") returned 18 [0060.985] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546b0 | out: hHeap=0x240000) returned 1 [0060.985] GetVersion () returned 0x1db10106 [0060.985] GetCurrentProcess () returned 0xffffffff [0060.985] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0060.985] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0060.985] CloseHandle (hObject=0x8c) returned 1 [0060.985] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0060.985] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0060.985] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x2436b0 [0060.985] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x250bd0 [0060.985] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x250bd0, Size=0x20) returned 0x254140 [0060.985] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254140, Size=0x40) returned 0x2546b0 [0060.985] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2546b0, Size=0x80) returned 0x2546b0 [0060.985] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2546b0, Size=0x100) returned 0x2546b0 [0060.985] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x34) returned 0x2547b8 [0060.985] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x2507c0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x2507d0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x2507e0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x250bd0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x2547f8 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x250be8 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2547f8, Size=0x8) returned 0x2547f8 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x250c00 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2547f8, Size=0x10) returned 0x2547f8 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x250c18 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x250c30 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2547f8, Size=0x20) returned 0x2547f8 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x250c48 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x250c60 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2507c0, Size=0x8) returned 0x2507c0 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2507d0, Size=0x8) returned 0x2507d0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254820 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x250c78 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254830 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x250c90 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254830, Size=0x8) returned 0x254830 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274928 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254830, Size=0x10) returned 0x254830 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274940 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254848 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254830, Size=0x20) returned 0x254858 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2507c0, Size=0x10) returned 0x254830 [0060.986] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2507d0, Size=0x10) returned 0x254880 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x2507c0 [0060.986] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274958 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x2507d0 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274970 [0060.987] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2507d0, Size=0x8) returned 0x2507d0 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254898 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274988 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x2548a8 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2749a0 [0060.987] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2548a8, Size=0x8) returned 0x2548a8 [0060.987] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254830, Size=0x20) returned 0x274d10 [0060.987] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254880, Size=0x20) returned 0x274d38 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254880 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2749b8 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254830 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2749d0 [0060.987] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254830, Size=0x8) returned 0x254830 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x274d60 [0060.987] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x274d80 [0060.987] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0060.987] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2546b0 | out: hHeap=0x240000) returned 1 [0060.988] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2749e8 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2749e8, Size=0x20) returned 0x254348 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254348, Size=0x40) returned 0x254708 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x80) returned 0x254708 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x100) returned 0x275058 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2749e8 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2749e8, Size=0x20) returned 0x254348 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254348, Size=0x40) returned 0x254708 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x80) returned 0x254708 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x100) returned 0x275160 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2749e8 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254708 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.002] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x8) returned 0x254708 [0061.002] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x254718 [0061.003] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x10) returned 0x254738 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x18) returned 0x254750 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x254348 [0061.003] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254738, Size=0x20) returned 0x254770 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1c) returned 0x254370 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x16) returned 0x254798 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x254398 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274a18 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254708 [0061.003] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40) returned 0x275268 [0061.003] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x8) returned 0x254708 [0061.004] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x3c) returned 0x2752b0 [0061.004] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254708, Size=0x10) returned 0x254738 [0061.004] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x2752f8 [0061.004] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x18) returned 0x275318 [0061.004] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254738, Size=0x20) returned 0x275338 [0061.004] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x24) returned 0x275360 [0061.004] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0061.004] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275058 | out: hHeap=0x240000) returned 1 [0061.004] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0061.004] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275160 | out: hHeap=0x240000) returned 1 [0061.004] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2758e0 [0061.010] EnumServicesStatusExW (in: hSCManager=0x2758e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0061.012] GetLastError () returned 0xea [0061.012] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x2791e0 [0061.012] EnumServicesStatusExW (in: hSCManager=0x2758e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x2791e0, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x2791e0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0061.013] CloseServiceHandle (hSCObject=0x2758e0) returned 1 [0061.017] lstrlenW (lpString="Appinfo") returned 7 [0061.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0061.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0061.017] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0061.017] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0061.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0061.017] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0061.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.018] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0061.018] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0061.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0061.018] lstrlenW (lpString="AudioSrv") returned 8 [0061.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0061.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0061.018] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0061.018] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0061.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0061.018] lstrlenW (lpString="BFE") returned 3 [0061.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0061.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0061.018] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0061.018] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0061.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0061.018] lstrlenW (lpString="CryptSvc") returned 8 [0061.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0061.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0061.018] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0061.018] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0061.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0061.018] lstrlenW (lpString="CscService") returned 10 [0061.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0061.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0061.018] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0061.019] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0061.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0061.019] lstrlenW (lpString="DcomLaunch") returned 10 [0061.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.019] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0061.019] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0061.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0061.019] lstrlenW (lpString="Dhcp") returned 4 [0061.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0061.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0061.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0061.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0061.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0061.019] lstrlenW (lpString="Dnscache") returned 8 [0061.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0061.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0061.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0061.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0061.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0061.019] lstrlenW (lpString="DPS") returned 3 [0061.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0061.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0061.019] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0061.020] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0061.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0061.020] lstrlenW (lpString="eventlog") returned 8 [0061.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0061.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0061.020] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0061.020] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0061.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0061.020] lstrlenW (lpString="EventSystem") returned 11 [0061.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0061.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0061.020] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0061.020] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0061.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0061.020] lstrlenW (lpString="gpsvc") returned 5 [0061.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0061.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0061.020] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0061.020] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0061.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0061.020] lstrlenW (lpString="iphlpsvc") returned 8 [0061.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.020] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0061.020] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0061.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0061.020] lstrlenW (lpString="LanmanServer") returned 12 [0061.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0061.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0061.021] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0061.021] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0061.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0061.021] lstrlenW (lpString="LanmanWorkstation") returned 17 [0061.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.021] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0061.021] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0061.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0061.021] lstrlenW (lpString="lmhosts") returned 7 [0061.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0061.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0061.021] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0061.021] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0061.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0061.021] lstrlenW (lpString="MMCSS") returned 5 [0061.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0061.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0061.021] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0061.021] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0061.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0061.021] lstrlenW (lpString="MpsSvc") returned 6 [0061.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0061.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0061.021] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0061.021] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0061.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0061.022] lstrlenW (lpString="Netman") returned 6 [0061.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0061.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0061.022] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0061.022] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0061.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0061.022] lstrlenW (lpString="netprofm") returned 8 [0061.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0061.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0061.022] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0061.022] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0061.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0061.022] lstrlenW (lpString="NlaSvc") returned 6 [0061.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0061.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0061.022] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0061.022] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0061.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0061.022] lstrlenW (lpString="nsi") returned 3 [0061.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0061.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0061.022] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0061.022] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0061.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0061.022] lstrlenW (lpString="PcaSvc") returned 6 [0061.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0061.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0061.023] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0061.023] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0061.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0061.023] lstrlenW (lpString="PlugPlay") returned 8 [0061.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0061.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0061.023] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0061.023] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0061.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0061.023] lstrlenW (lpString="Power") returned 5 [0061.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0061.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0061.023] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0061.023] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0061.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0061.023] lstrlenW (lpString="ProfSvc") returned 7 [0061.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0061.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0061.023] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0061.023] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0061.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0061.023] lstrlenW (lpString="RpcEptMapper") returned 12 [0061.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.023] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0061.023] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0061.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0061.023] lstrlenW (lpString="RpcSs") returned 5 [0061.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0061.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0061.024] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0061.024] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0061.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0061.024] lstrlenW (lpString="SamSs") returned 5 [0061.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0061.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0061.024] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0061.024] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0061.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0061.024] lstrlenW (lpString="Schedule") returned 8 [0061.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0061.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0061.024] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0061.024] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0061.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0061.024] lstrlenW (lpString="SENS") returned 4 [0061.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0061.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0061.024] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0061.024] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0061.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0061.024] lstrlenW (lpString="ShellHWDetection") returned 16 [0061.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.024] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0061.024] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0061.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0061.025] lstrlenW (lpString="Spooler") returned 7 [0061.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0061.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0061.025] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0061.025] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0061.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0061.025] lstrlenW (lpString="SysMain") returned 7 [0061.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0061.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0061.025] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0061.025] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0061.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0061.025] lstrlenW (lpString="Themes") returned 6 [0061.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0061.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0061.025] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0061.025] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0061.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0061.025] lstrlenW (lpString="TrkWks") returned 6 [0061.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0061.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0061.025] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0061.025] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0061.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0061.025] lstrlenW (lpString="UxSms") returned 5 [0061.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0061.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0061.025] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0061.026] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0061.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0061.026] lstrlenW (lpString="WdiServiceHost") returned 14 [0061.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.026] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0061.026] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0061.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0061.026] lstrlenW (lpString="WdiSystemHost") returned 13 [0061.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.026] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0061.026] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0061.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0061.026] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0061.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.026] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0061.026] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0061.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0061.026] lstrlenW (lpString="Winmgmt") returned 7 [0061.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0061.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0061.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0061.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0061.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0061.026] lstrlenW (lpString="WPDBusEnum") returned 10 [0061.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.027] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0061.027] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0061.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0061.027] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2791e0 | out: hHeap=0x240000) returned 1 [0061.027] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0061.037] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0061.038] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0061.039] lstrlenW (lpString="System") returned 6 [0061.039] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0061.039] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0061.039] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0061.039] lstrlenW (lpString="smss.exe") returned 8 [0061.039] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0061.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0061.039] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0061.039] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0061.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0061.039] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0061.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0061.040] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.040] lstrlenW (lpString="csrss.exe") returned 9 [0061.040] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0061.040] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0061.040] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0061.040] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0061.040] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0061.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0061.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0061.040] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0061.041] lstrlenW (lpString="wininit.exe") returned 11 [0061.041] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0061.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0061.041] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.042] lstrlenW (lpString="csrss.exe") returned 9 [0061.042] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0061.042] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0061.042] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0061.042] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0061.042] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0061.042] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0061.042] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0061.043] lstrlenW (lpString="winlogon.exe") returned 12 [0061.043] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0061.043] lstrlenW (lpString="services.exe") returned 12 [0061.043] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0061.044] lstrlenW (lpString="lsass.exe") returned 9 [0061.044] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0061.045] lstrlenW (lpString="lsm.exe") returned 7 [0061.045] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.045] lstrlenW (lpString="svchost.exe") returned 11 [0061.045] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.046] lstrlenW (lpString="svchost.exe") returned 11 [0061.046] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.046] lstrlenW (lpString="svchost.exe") returned 11 [0061.046] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.047] lstrlenW (lpString="svchost.exe") returned 11 [0061.047] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.048] lstrlenW (lpString="svchost.exe") returned 11 [0061.048] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0061.048] lstrlenW (lpString="audiodg.exe") returned 11 [0061.048] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.049] lstrlenW (lpString="svchost.exe") returned 11 [0061.049] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.051] lstrlenW (lpString="svchost.exe") returned 11 [0061.051] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0061.051] lstrlenW (lpString="dwm.exe") returned 7 [0061.051] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0061.052] lstrlenW (lpString="explorer.exe") returned 12 [0061.052] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0061.052] lstrlenW (lpString="spoolsv.exe") returned 11 [0061.052] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.053] lstrlenW (lpString="svchost.exe") returned 11 [0061.053] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0061.054] lstrlenW (lpString="taskhost.exe") returned 12 [0061.054] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0061.054] lstrlenW (lpString="taskeng.exe") returned 11 [0061.054] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0061.055] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0061.055] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0061.055] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0061.055] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0061.056] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0061.056] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0061.057] lstrlenW (lpString="celebration.exe") returned 15 [0061.057] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0061.057] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0061.057] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0061.058] lstrlenW (lpString="americansislamic.exe") returned 20 [0061.058] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0061.059] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0061.059] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0061.059] lstrlenW (lpString="sm-aud.exe") returned 10 [0061.059] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0061.060] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0061.060] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0061.061] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0061.061] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0061.061] lstrlenW (lpString="lap.exe") returned 7 [0061.061] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0061.062] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0061.062] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0061.063] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0061.063] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0061.064] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0061.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0061.064] lstrlenW (lpString="completion.exe") returned 14 [0061.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0061.065] lstrlenW (lpString="independently.exe") returned 17 [0061.065] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0061.097] lstrlenW (lpString="mel_kinase.exe") returned 14 [0061.097] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0061.097] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0061.097] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0061.098] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0061.101] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0061.102] lstrlenW (lpString="3dftp.exe") returned 9 [0061.102] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0061.103] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0061.103] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0061.103] lstrlenW (lpString="alftp.exe") returned 9 [0061.103] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0061.104] lstrlenW (lpString="barca.exe") returned 9 [0061.104] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0061.104] lstrlenW (lpString="bitkinex.exe") returned 12 [0061.104] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0061.105] lstrlenW (lpString="coreftp.exe") returned 11 [0061.105] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0061.106] lstrlenW (lpString="far.exe") returned 7 [0061.106] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0061.106] lstrlenW (lpString="filezilla.exe") returned 13 [0061.106] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0061.107] lstrlenW (lpString="flashfxp.exe") returned 12 [0061.107] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0061.107] lstrlenW (lpString="fling.exe") returned 9 [0061.107] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0061.108] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0061.108] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0061.108] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0061.108] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0061.109] lstrlenW (lpString="icq.exe") returned 7 [0061.109] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0061.109] lstrlenW (lpString="leechftp.exe") returned 12 [0061.109] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0061.110] lstrlenW (lpString="ncftp.exe") returned 9 [0061.110] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0061.111] lstrlenW (lpString="notepad.exe") returned 11 [0061.111] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0061.112] lstrlenW (lpString="operamail.exe") returned 13 [0061.112] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0061.113] lstrlenW (lpString="outlook.exe") returned 11 [0061.120] CloseHandle (hObject=0xe4) returned 1 [0061.120] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0061.121] lstrlenW (lpString="pidgin.exe") returned 10 [0061.121] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0061.122] lstrlenW (lpString="scriptftp.exe") returned 13 [0061.122] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0061.123] lstrlenW (lpString="skype.exe") returned 9 [0061.123] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0061.124] lstrlenW (lpString="smartftp.exe") returned 12 [0061.124] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0061.124] lstrlenW (lpString="thunderbird.exe") returned 15 [0061.124] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0061.125] lstrlenW (lpString="totalcmd.exe") returned 12 [0061.125] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0061.126] lstrlenW (lpString="trillian.exe") returned 12 [0061.126] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0061.127] lstrlenW (lpString="webdrive.exe") returned 12 [0061.127] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0061.128] lstrlenW (lpString="whatsapp.exe") returned 12 [0061.128] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0061.129] lstrlenW (lpString="winscp.exe") returned 10 [0061.129] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0061.129] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0061.129] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0061.130] lstrlenW (lpString="active-charge.exe") returned 17 [0061.130] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0061.131] lstrlenW (lpString="accupos.exe") returned 11 [0061.131] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0061.132] lstrlenW (lpString="afr38.exe") returned 9 [0061.132] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0061.133] lstrlenW (lpString="aldelo.exe") returned 10 [0061.133] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0061.133] lstrlenW (lpString="ccv_server.exe") returned 14 [0061.133] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0061.134] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0061.134] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0061.135] lstrlenW (lpString="creditservice.exe") returned 17 [0061.135] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0061.136] lstrlenW (lpString="edcsvr.exe") returned 10 [0061.136] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0061.137] lstrlenW (lpString="fpos.exe") returned 8 [0061.137] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0061.137] lstrlenW (lpString="isspos.exe") returned 10 [0061.137] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0061.138] lstrlenW (lpString="mxslipstream.exe") returned 16 [0061.138] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0061.139] lstrlenW (lpString="omnipos.exe") returned 11 [0061.139] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0061.139] lstrlenW (lpString="spcwin.exe") returned 10 [0061.139] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0061.140] lstrlenW (lpString="spgagentservice.exe") returned 19 [0061.140] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0061.141] lstrlenW (lpString="utg2.exe") returned 8 [0061.141] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0061.142] lstrlenW (lpString="forced-british.exe") returned 18 [0061.142] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0061.142] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0061.142] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0061.143] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0061.143] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0061.156] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0061.156] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0061.157] lstrlenW (lpString="kenya.exe") returned 9 [0061.157] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0061.158] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0061.158] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0061.159] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0061.159] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0061.160] lstrlenW (lpString="taskhost.exe") returned 12 [0061.160] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0061.160] lstrlenW (lpString="dllhost.exe") returned 11 [0061.161] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0061.161] lstrlenW (lpString="dllhost.exe") returned 11 [0061.161] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0061.162] lstrlenW (lpString="dmyurb.exe") returned 10 [0061.162] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 0 [0061.162] CloseHandle (hObject=0xe0) returned 1 [0061.162] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275268 | out: hHeap=0x240000) returned 1 [0061.162] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2752b0 | out: hHeap=0x240000) returned 1 [0061.162] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2752f8 | out: hHeap=0x240000) returned 1 [0061.162] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275318 | out: hHeap=0x240000) returned 1 [0061.162] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275360 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x274a00 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254718 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254750 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254348 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254370 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254798 | out: hHeap=0x240000) returned 1 [0061.163] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254398 | out: hHeap=0x240000) returned 1 [0061.163] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x27b428 [0061.163] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x28b430 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254398 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254398, Size=0x40) returned 0x2769a8 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254398 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254370 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254348 [0061.164] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254348, Size=0x40) returned 0x2769f0 [0061.164] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x28b430, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe")) returned 0x30 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x29b438 [0061.164] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2ab440 [0061.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254348 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254348, Size=0x40) returned 0x276a38 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a38, Size=0x80) returned 0x275268 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275268, Size=0x100) returned 0x277bb0 [0061.165] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.165] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277bb0 | out: hHeap=0x240000) returned 1 [0061.165] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\dmyurb.exe", lpDst=0x29b438, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\dmyurb.exe") returned 0x1f [0061.165] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ab440 | out: hHeap=0x240000) returned 1 [0061.165] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b438 | out: hHeap=0x240000) returned 1 [0061.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x2060020 [0061.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x254348 [0061.165] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.165] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x275930 [0061.165] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.165] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.165] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0061.166] lstrlenW (lpString="kernel32.dll") returned 12 [0061.166] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254348 | out: hHeap=0x240000) returned 1 [0061.166] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.166] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.166] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0061.166] CreateFileW (lpFileName="C:\\Windows\\System32\\dmyurb.exe" (normalized: "c:\\windows\\system32\\dmyurb.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0061.167] ReadFile (in: hFile=0xe0, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.182] WriteFile (in: hFile=0xe4, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.186] ReadFile (in: hFile=0xe0, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0061.186] CloseHandle (hObject=0xe4) returned 1 [0061.190] CloseHandle (hObject=0xe0) returned 1 [0061.190] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.191] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x275930 [0061.191] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.191] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x2758e0 [0061.191] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.192] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.192] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0061.192] lstrlenW (lpString="kernel32.dll") returned 12 [0061.192] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2758e0 | out: hHeap=0x240000) returned 1 [0061.192] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.192] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.192] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x240000) returned 1 [0061.198] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.198] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x275930 [0061.199] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275930, Size=0x40) returned 0x276a38 [0061.199] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a38, Size=0x80) returned 0x29b450 [0061.199] lstrlenW (lpString="C:\\Windows\\System32\\dmyurb.exe") returned 30 [0061.199] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0061.199] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x5c) returned 0x275268 [0061.199] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0061.199] RegSetValueExW (in: hKey=0xe0, lpValueName="dmyurb.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\dmyurb.exe", cbData=0x3c | out: lpData="C:\\Windows\\System32\\dmyurb.exe") returned 0x0 [0061.201] RegCloseKey (hKey=0xe0) returned 0x0 [0061.201] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275268 | out: hHeap=0x240000) returned 1 [0061.201] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0061.201] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b450 | out: hHeap=0x240000) returned 1 [0061.201] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x29d438 [0061.201] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2ad440 [0061.201] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a00 [0061.201] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a00, Size=0x20) returned 0x275930 [0061.201] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275930, Size=0x40) returned 0x276a38 [0061.201] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a38, Size=0x80) returned 0x29b450 [0061.201] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x277bb0 [0061.201] lstrlenW (lpString="") returned 0 [0061.201] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.201] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8c) returned 0x277cb8 [0061.201] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0061.202] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x2ad440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x2ad440*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0061.202] RegCloseKey (hKey=0xe0) returned 0x0 [0061.202] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277cb8 | out: hHeap=0x240000) returned 1 [0061.202] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.202] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8c) returned 0x277cb8 [0061.202] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0061.202] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x2ad440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0061.202] RegCloseKey (hKey=0xe4) returned 0x0 [0061.202] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277cb8 | out: hHeap=0x240000) returned 1 [0061.202] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0061.202] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.202] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277bb0 | out: hHeap=0x240000) returned 1 [0061.203] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe", lpDst=0x29d438, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe") returned 0x67 [0061.203] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0061.203] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29d438 | out: hHeap=0x240000) returned 1 [0061.203] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x2060020 [0061.203] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.203] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x275930 [0061.203] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.203] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2758e0 [0061.203] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.203] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.203] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0061.203] lstrlenW (lpString="kernel32.dll") returned 12 [0061.203] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.203] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.203] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2758e0 | out: hHeap=0x240000) returned 1 [0061.204] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0061.204] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\dmyurb.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0061.208] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.225] WriteFile (in: hFile=0xe8, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.229] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0061.245] CloseHandle (hObject=0xe8) returned 1 [0061.247] CloseHandle (hObject=0xe4) returned 1 [0061.247] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.247] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2758e0 [0061.247] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.247] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x275930 [0061.247] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.247] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.247] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0061.247] lstrlenW (lpString="kernel32.dll") returned 12 [0061.247] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.247] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.247] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2758e0 | out: hHeap=0x240000) returned 1 [0061.247] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x240000) returned 1 [0061.254] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x29d438 [0061.254] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2ad440 [0061.254] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.254] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2758e0 [0061.254] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2758e0, Size=0x40) returned 0x276a38 [0061.254] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a38, Size=0x80) returned 0x29b450 [0061.254] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x277bb0 [0061.254] lstrlenW (lpString="") returned 0 [0061.254] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.254] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8c) returned 0x277cb8 [0061.254] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0061.254] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x2ad440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0061.254] RegCloseKey (hKey=0xe4) returned 0x0 [0061.254] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277cb8 | out: hHeap=0x240000) returned 1 [0061.254] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0061.255] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.255] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277bb0 | out: hHeap=0x240000) returned 1 [0061.255] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe", lpDst=0x29d438, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe") returned 0x48 [0061.255] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0061.255] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29d438 | out: hHeap=0x240000) returned 1 [0061.255] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x2060020 [0061.255] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.255] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2758e0 [0061.255] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.255] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x275930 [0061.255] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.255] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.255] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0061.255] lstrlenW (lpString="kernel32.dll") returned 12 [0061.255] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2758e0 | out: hHeap=0x240000) returned 1 [0061.255] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.255] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.255] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0061.256] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\dmyurb.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\dmyurb.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0061.258] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.272] WriteFile (in: hFile=0xe8, lpBuffer=0x2060020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0061.275] ReadFile (in: hFile=0xe4, lpBuffer=0x2060020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2060020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0061.275] CloseHandle (hObject=0xe8) returned 1 [0061.276] CloseHandle (hObject=0xe4) returned 1 [0061.276] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.276] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x275930 [0061.277] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.277] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2758e0 [0061.277] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0061.277] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0061.277] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0061.277] lstrlenW (lpString="kernel32.dll") returned 12 [0061.277] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2758e0 | out: hHeap=0x240000) returned 1 [0061.277] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0061.277] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275930 | out: hHeap=0x240000) returned 1 [0061.277] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2060020 | out: hHeap=0x240000) returned 1 [0061.282] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27b428 | out: hHeap=0x240000) returned 1 [0061.282] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28b430 | out: hHeap=0x240000) returned 1 [0061.282] lstrlenW (lpString="%windir%\\System32") returned 17 [0061.282] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2769a8 | out: hHeap=0x240000) returned 1 [0061.282] lstrlenW (lpString="%appdata%") returned 9 [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254398 | out: hHeap=0x240000) returned 1 [0061.283] lstrlenW (lpString="%sh(Startup)%") returned 13 [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254370 | out: hHeap=0x240000) returned 1 [0061.283] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2769f0 | out: hHeap=0x240000) returned 1 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x254370 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254370, Size=0x40) returned 0x2769f0 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2769f0, Size=0x80) returned 0x29b450 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x254370 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1fffc) returned 0x27b428 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x29d438 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2ad440 [0061.283] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x254398 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254398, Size=0x40) returned 0x2769f0 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2769f0, Size=0x80) returned 0x29b4d8 [0061.283] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b4d8, Size=0x100) returned 0x277bb0 [0061.283] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x277bb0 | out: hHeap=0x240000) returned 1 [0061.283] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x29d438, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0061.283] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29d438 | out: hHeap=0x240000) returned 1 [0061.284] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0061.285] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0061.285] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0061.285] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0061.285] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x304, dwThreadId=0x488)) returned 1 [0061.305] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0061.305] WriteFile (in: hFile=0xec, lpBuffer=0x29b450*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x29b450*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0061.305] CloseHandle (hObject=0xfc) returned 1 [0061.306] CloseHandle (hObject=0xf8) returned 1 [0061.306] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27b428 | out: hHeap=0x240000) returned 1 [0061.306] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0061.306] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b450 | out: hHeap=0x240000) returned 1 [0061.306] lstrlenW (lpString="%comspec%") returned 9 [0061.306] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x254370 | out: hHeap=0x240000) returned 1 [0061.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0061.307] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274a30 [0061.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x274a30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0061.307] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x2547a8 [0061.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x2547a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0061.308] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a48 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a48, Size=0x20) returned 0x254370 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254370, Size=0x40) returned 0x2769f0 [0061.308] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0061.308] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xd0) returned 0x277c28 [0061.308] GetLogicalDrives () returned 0x4 [0061.308] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10014) returned 0x27b428 [0061.308] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a48 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a48, Size=0x20) returned 0x254370 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254370, Size=0x40) returned 0x276a80 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a80, Size=0x80) returned 0x29b450 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x279198 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x200) returned 0x279198 [0061.308] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x400) returned 0x279198 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x800) returned 0x2797b0 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2797b0, Size=0x1000) returned 0x28b448 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x29d438 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a48 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274b20 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254750 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x274b38 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x254760 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274b50 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254760, Size=0x8) returned 0x254760 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274b68 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254760, Size=0x10) returned 0x254718 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274b80 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274b98 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254718, Size=0x20) returned 0x277ab0 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274bb0 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254760 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274bc8 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274be0 [0061.309] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x277ab0, Size=0x40) returned 0x2752d8 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274bf8 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274c10 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274c28 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x274c40 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274c58 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274c70 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x275320 [0061.309] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274c88 [0061.310] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2752d8, Size=0x80) returned 0x279198 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274ca0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274cb8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274cd0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x274ce8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2797c8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2797e0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2797f8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254718 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279810 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279828 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279840 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279858 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279870 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279888 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2798a0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2798b8 [0061.310] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x100) returned 0x279198 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2798d0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2798e8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279900 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x279918 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279930 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279948 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x254728 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279960 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279978 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279990 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x277ab0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2799a8 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2799c0 [0061.310] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x277ac0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2799d8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2799f0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279a08 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279a20 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279a38 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279a50 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x279a68 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279a80 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x279a98 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279ab0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279ac8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279ae0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279af8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x277ad0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b10 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b28 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b40 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b58 [0061.311] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x200) returned 0x279198 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b70 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x2752d8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279b88 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279bc8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279be0 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279bf8 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279c10 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279c28 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279c40 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279c58 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279c70 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279c88 [0061.311] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279ca0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279cb8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279cd0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279ce8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279d00 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279d18 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279d30 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279d48 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279d60 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279d78 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279d90 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x2752e8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279da8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279dc0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279dd8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x279fc8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279df0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279e08 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e20 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e38 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e50 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e68 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e80 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279e98 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279eb0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279ec8 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279ee0 [0061.312] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279ef8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279f10 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279f28 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279f40 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279f58 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279f70 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279f88 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c468 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c480 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c498 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x279fd8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x279fe8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c4b0 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c4c8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c4e0 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c4f8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c510 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c528 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c540 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c558 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c570 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c588 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c5a0 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c5b8 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c5d0 [0061.313] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x400) returned 0x279198 [0061.313] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c5e8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c600 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c618 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c630 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c648 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c660 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c678 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c690 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c6a8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c6c0 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x279ff8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c6d8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c6f0 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c708 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c720 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c738 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c750 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28c768 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c780 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c798 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c7b0 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c7c8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c7e0 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c7f8 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c810 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c828 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a008 [0061.314] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c868 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c880 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c898 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c8b0 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c8c8 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c8e0 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c8f8 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c910 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c928 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28c940 [0061.315] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca30 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28ca48 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca18 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c9d0 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c9e8 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca00 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28c9a0 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c9b8 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca60 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca78 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ca90 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28caa8 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cac0 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cad8 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28caf0 [0061.815] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb08 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb20 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb38 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb50 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb68 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb80 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cb98 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cbb0 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cbc8 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cbe0 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28cbf8 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12) returned 0x275fa0 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cc10 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28cc28 [0061.816] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e2a0 [0062.877] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e2b8 [0062.877] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e2d0 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e2e8 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e300 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e318 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e330 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e348 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e360 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e378 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e390 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e3a8 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e3c0 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e3d8 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e3f0 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e408 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e420 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e438 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e450 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e468 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e480 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28e498 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e4b0 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a028 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e4c8 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a018 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e4e0 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e4f8 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e510 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e528 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e540 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e558 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e570 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e588 [0062.878] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e5a0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e5b8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e5d0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e5e8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e600 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e618 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a038 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e630 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e648 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e660 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e6a0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e6b8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e6d0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e6e8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a048 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a058 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e700 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e718 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e730 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e748 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e760 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e778 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e790 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e7a8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e7c0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e7d8 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e7f0 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e808 [0062.879] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x279198, Size=0x800) returned 0x28ea88 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e820 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e838 [0062.879] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e850 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e868 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28e880 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e898 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e8b0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e8c8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e8e0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e8f8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e910 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e928 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a068 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e940 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e958 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28e970 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e988 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e9a0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e9b8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e9d0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28e9e8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ea00 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ea18 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ea30 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28ea48 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28ea60 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2791b0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2791c8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12) returned 0x275fc0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2791e0 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2791f8 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279210 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279228 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279240 [0062.880] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a078 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279258 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279270 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279288 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2792a0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2792b8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2792d0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2792e8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279300 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279318 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279330 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279348 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279360 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279378 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279390 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2793a8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2793c0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2793d8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2793f0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279408 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279420 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279438 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279450 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279468 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279480 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279498 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2794b0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a088 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2794c8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2794e0 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2794f8 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279510 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x279528 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279540 [0062.881] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279558 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x279570 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f2a8 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f2c0 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f2d8 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f2f0 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f308 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f320 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f338 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f350 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f368 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f380 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f398 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f3b0 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f3c8 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f3e0 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a098 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x28f3f8 [0062.882] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0062.882] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28b448 | out: hHeap=0x240000) returned 1 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28f410 [0062.882] lstrlenW (lpString="") returned 0 [0062.882] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28f410 | out: hHeap=0x240000) returned 1 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28f410 [0062.882] lstrlenW (lpString=".mnbzr") returned 6 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28f428 [0062.882] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254750, Size=0x8) returned 0x254750 [0062.882] lstrlenW (lpString=".mnbzr") returned 6 [0062.882] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28f410 | out: hHeap=0x240000) returned 1 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f410 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a0a8 [0062.882] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28f440 [0062.882] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28f440, Size=0x20) returned 0x2759d0 [0062.882] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2759d0, Size=0x40) returned 0x276b10 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276b10, Size=0x80) returned 0x29b450 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12) returned 0x275fe0 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0a8, Size=0x8) returned 0x27a0b8 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x2759d0 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0b8, Size=0x10) returned 0x28f440 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28f458 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x275980 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28f440, Size=0x20) returned 0x275840 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x28f440 [0062.883] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0062.883] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b450 | out: hHeap=0x240000) returned 1 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28f470 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28f470, Size=0x20) returned 0x2759f8 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2759f8, Size=0x40) returned 0x276b10 [0062.883] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x28) returned 0x277ec8 [0062.883] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0062.883] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x276b10 | out: hHeap=0x240000) returned 1 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28f470 [0062.883] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28f470, Size=0x20) returned 0x2759f8 [0062.883] lstrlenW (lpString="Info.hta") returned 8 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12) returned 0x276000 [0062.883] lstrlenW (lpString="Info.hta") returned 8 [0062.883] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2759f8 | out: hHeap=0x240000) returned 1 [0062.883] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2ad440 [0062.884] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ad440, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe")) returned 0x30 [0066.683] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0066.684] lstrlenW (lpString="dmyurb.exe") returned 10 [0066.684] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x16) returned 0x276060 [0066.684] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275840, Size=0x40) returned 0x276d50 [0066.684] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd7d0 [0066.685] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd7d0, Size=0x20) returned 0x275840 [0066.685] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x2ad440 [0066.685] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x2cf1b8 [0066.686] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd7d0 [0066.686] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd7d0, Size=0x20) returned 0x275cc8 [0066.686] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275cc8, Size=0x40) returned 0x276d98 [0066.686] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276d98, Size=0x80) returned 0x29b450 [0066.686] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x2df1c0 [0066.686] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0066.686] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df1c0 | out: hHeap=0x240000) returned 1 [0066.686] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x2ad440, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0066.686] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cf1b8 | out: hHeap=0x240000) returned 1 [0066.686] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0066.687] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd7d0 [0066.688] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a0c8 [0066.688] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x16) returned 0x276080 [0066.688] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0c8, Size=0x8) returned 0x27a0d8 [0066.688] lstrlenW (lpString="%windir%;") returned 9 [0066.688] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275840 | out: hHeap=0x240000) returned 1 [0066.688] lstrlenW (lpString="C:\\Windows;") returned 11 [0066.688] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29d438 | out: hHeap=0x240000) returned 1 [0066.688] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd7e8 [0066.688] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd7e8, Size=0x20) returned 0x275840 [0066.689] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x275840, Size=0x40) returned 0x276d98 [0066.689] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276d98, Size=0x80) returned 0x29b450 [0066.689] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x293690 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x34) returned 0x2cebf0 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a0c8 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a0e8 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a0f8 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd7e8 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a108 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd800 [0066.689] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a108, Size=0x8) returned 0x27a118 [0066.689] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd818 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a118, Size=0x10) returned 0x2cd830 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd848 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd860 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd830, Size=0x20) returned 0x275840 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd830 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd878 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0c8, Size=0x8) returned 0x27a118 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0e8, Size=0x8) returned 0x27a0c8 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a0e8 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd890 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a108 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd8a8 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a108, Size=0x8) returned 0x27a128 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd8c0 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a128, Size=0x10) returned 0x2cd8d8 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd8f0 [0066.690] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a128 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd8d8, Size=0x20) returned 0x275cc8 [0066.690] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a118, Size=0x10) returned 0x2cd8d8 [0066.691] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a0c8, Size=0x10) returned 0x2cd908 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a0c8 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd920 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a118 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd938 [0066.691] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a118, Size=0x8) returned 0x27a108 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a118 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd950 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a138 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd968 [0066.691] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a138, Size=0x8) returned 0x27a148 [0066.691] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd8d8, Size=0x20) returned 0x275cf0 [0066.691] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd908, Size=0x20) returned 0x275d18 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a138 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd908 [0066.691] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a158 [0066.692] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd8d8 [0066.692] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a158, Size=0x8) returned 0x27a168 [0066.692] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x2760a0 [0066.692] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x2760c0 [0066.693] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0066.693] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293690 | out: hHeap=0x240000) returned 1 [0066.694] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x80) returned 0x29b450 [0066.694] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a158 [0066.694] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd980 [0066.694] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd980, Size=0x20) returned 0x275d68 [0066.694] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xd0) returned 0x293690 [0066.695] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2cf1b8 [0066.695] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x2cf1b8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0066.695] lstrlenW (lpString="C:\\") returned 3 [0066.695] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0066.696] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cf1b8 | out: hHeap=0x240000) returned 1 [0066.696] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x28) returned 0x2ced00 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd980 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a178 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x14) returned 0x2760e0 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd998 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x80) returned 0x29b560 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9b0 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x82) returned 0x293768 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9c8 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a188 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9e0 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x80) returned 0x29b5e8 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9f8 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x2) returned 0x27a198 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a1a8 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda10 [0066.697] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x80) returned 0x29b670 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda28 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a1b8 [0066.698] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a198, Size=0x82) returned 0x2937f8 [0066.698] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a1b8, Size=0x100) returned 0x293888 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda40 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x82) returned 0x293990 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda58 [0066.698] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x82) returned 0x293a20 [0066.698] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2937f8, Size=0x104) returned 0x293ab0 [0066.699] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x293888, Size=0x200) returned 0x293bc0 [0066.699] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27a1a8 | out: hHeap=0x240000) returned 1 [0066.699] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293bc0 | out: hHeap=0x240000) returned 1 [0066.700] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cda28 | out: hHeap=0x240000) returned 1 [0066.700] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b5e8 | out: hHeap=0x240000) returned 1 [0066.700] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd9e0 | out: hHeap=0x240000) returned 1 [0066.700] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b670 | out: hHeap=0x240000) returned 1 [0066.700] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cda10 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ab0 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd9f8 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293990 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cda40 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293a20 | out: hHeap=0x240000) returned 1 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cda58 | out: hHeap=0x240000) returned 1 [0066.701] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x27a1a8 [0066.701] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda58 [0066.701] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cda58, Size=0x20) returned 0x293810 [0066.701] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x293810, Size=0x40) returned 0x276d98 [0066.701] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cda58 [0066.701] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27a178 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd980 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293768 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd9b0 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b560 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd998 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27a188 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cd9c8 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ced00 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2760e0 | out: hHeap=0x240000) returned 1 [0066.702] lstrlenW (lpString="%systemdrive%") returned 13 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x275d68 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b450 | out: hHeap=0x240000) returned 1 [0066.702] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x27a158 | out: hHeap=0x240000) returned 1 [0066.702] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x2c) returned 0x2ced00 [0066.702] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x2000) returned 0x293ff8 [0066.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x27b428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0066.705] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10014) returned 0x2cf1b8 [0066.705] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9c8 [0066.705] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd9c8, Size=0x20) returned 0x293810 [0066.705] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x293810, Size=0x40) returned 0x276de0 [0066.705] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276de0, Size=0x80) returned 0x29b450 [0066.706] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x2df1d8 [0066.706] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df1d8, Size=0x200) returned 0x2df1d8 [0066.706] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df1d8, Size=0x400) returned 0x2df1d8 [0066.706] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df1d8, Size=0x800) returned 0x2df1d8 [0066.706] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df1d8, Size=0x1000) returned 0x2df1d8 [0066.706] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x29d438 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2cd9c8 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd998 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a158 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2cd9b0 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a188 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd980 [0066.707] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a158, Size=0x8) returned 0x27a178 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cda40 [0066.707] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a178, Size=0x10) returned 0x2cd9f8 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cda10 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd9e0 [0066.707] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2cd9f8, Size=0x20) returned 0x293810 [0066.707] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cd9f8 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a178 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cda28 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cda70 [0066.708] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x293810, Size=0x40) returned 0x276de0 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cda88 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cdaa0 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cdab8 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2cdad0 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cdae8 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cdb00 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a158 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cdb18 [0066.708] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276de0, Size=0x80) returned 0x29b450 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cdb30 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2cdb48 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e01f8 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0210 [0066.708] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0228 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0240 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0258 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a1b8 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0270 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0288 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e02a0 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e02b8 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e02d0 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e02e8 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0300 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0318 [0066.709] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x296018 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0330 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0348 [0066.709] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0360 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2e0378 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0390 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e03a8 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a198 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e03c0 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e03d8 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e03f0 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x27a1c8 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0408 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0420 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a1d8 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0438 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0450 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0468 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0480 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0498 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e04b0 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2e04c8 [0066.710] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e04e0 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x2e04f8 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0510 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0528 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0540 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0558 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a1e8 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0570 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0588 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e05a0 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e05b8 [0066.711] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x296018, Size=0x200) returned 0x2e05e0 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0800 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a1f8 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0818 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0830 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0848 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0860 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0878 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0890 [0066.711] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e08a8 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e08c0 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e08d8 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e08f0 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0908 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0920 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0938 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0950 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0968 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0980 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0998 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e09b0 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e09c8 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e09e0 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e09f8 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a208 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0a10 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0a28 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0a40 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a218 [0066.712] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0a58 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0a70 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0a88 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0aa0 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ab8 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ad0 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ae8 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0b00 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0b18 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0b30 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0b48 [0066.713] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0b60 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0b78 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0b90 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ba8 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0bc0 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c00 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c18 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c30 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c48 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c60 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a228 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x27a238 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c78 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0c90 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ca8 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0cc0 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0cd8 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0cf0 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d08 [0066.714] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d20 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d38 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d50 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0d68 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d80 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0d98 [0066.715] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2e05e0, Size=0x400) returned 0x2e0fe8 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0db0 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0dc8 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0de0 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0df8 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0e10 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0e28 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0e40 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0e58 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0e70 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0e88 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a248 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ea0 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x2e0eb8 [0066.715] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ed0 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0ee8 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f00 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f18 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2e0f30 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f48 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f60 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f78 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0f90 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0fa8 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e0fc0 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1408 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1420 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x8) returned 0x27a258 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1438 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1450 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1468 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1480 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1498 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e14b0 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e14c8 [0066.716] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e14e0 [0066.717] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e14f8 [0066.717] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xe) returned 0x2e1510 [0066.717] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xa) returned 0x2e1528 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2e0fe8, Size=0x800) returned 0x298000 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298970, Size=0x20) returned 0x2df1f0 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df1f0, Size=0x40) returned 0x276de0 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276de0, Size=0x80) returned 0x29b450 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a2f8, Size=0x8) returned 0x27a308 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a308, Size=0x10) returned 0x298970 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298970, Size=0x20) returned 0x2df240 [0066.717] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2989a0, Size=0x20) returned 0x2df268 [0066.718] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df268, Size=0x40) returned 0x276de0 [0066.718] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0066.718] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2989a0, Size=0x20) returned 0x2df268 [0066.718] lstrlenW (lpString="Info.hta") returned 8 [0066.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ad440, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmyurb.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmyurb.exe")) returned 0x30 [0066.718] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0066.718] lstrlenW (lpString="dmyurb.exe") returned 10 [0066.718] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df240, Size=0x40) returned 0x276de0 [0066.718] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2989a0, Size=0x20) returned 0x2df240 [0066.719] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2989a0, Size=0x20) returned 0x2df268 [0066.719] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df268, Size=0x40) returned 0x276e28 [0066.719] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276e28, Size=0x80) returned 0x29b450 [0066.719] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x296018 [0066.719] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0066.719] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x296018 | out: hHeap=0x240000) returned 1 [0066.719] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x2ad440, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0066.719] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2e1bf0 | out: hHeap=0x240000) returned 1 [0066.719] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2ad440 | out: hHeap=0x240000) returned 1 [0066.720] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a308, Size=0x8) returned 0x27a2f8 [0066.720] lstrlenW (lpString="%windir%;") returned 9 [0066.720] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df240 | out: hHeap=0x240000) returned 1 [0066.720] lstrlenW (lpString="C:\\Windows;") returned 11 [0066.720] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29d438 | out: hHeap=0x240000) returned 1 [0066.720] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2989b8, Size=0x20) returned 0x2df240 [0066.720] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df240, Size=0x40) returned 0x276e28 [0066.720] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276e28, Size=0x80) returned 0x29b450 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x296018 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a338, Size=0x8) returned 0x27a348 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a348, Size=0x10) returned 0x298a00 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298a00, Size=0x20) returned 0x2df240 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a308, Size=0x8) returned 0x27a348 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a318, Size=0x8) returned 0x27a308 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a338, Size=0x8) returned 0x27a358 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a358, Size=0x10) returned 0x298aa8 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298aa8, Size=0x20) returned 0x2df268 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a348, Size=0x10) returned 0x298aa8 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a308, Size=0x10) returned 0x298ad8 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a348, Size=0x8) returned 0x27a338 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a368, Size=0x8) returned 0x27a378 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298aa8, Size=0x20) returned 0x2df290 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298ad8, Size=0x20) returned 0x2df2b8 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a388, Size=0x8) returned 0x27a398 [0066.721] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298b50, Size=0x20) returned 0x2df308 [0066.722] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x2e1bf0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0066.722] lstrlenW (lpString="C:\\") returned 3 [0066.722] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0066.722] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2e1bf0 | out: hHeap=0x240000) returned 1 [0066.723] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2e1020, Size=0x82) returned 0x2df9d8 [0066.723] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2e1040, Size=0x100) returned 0x296018 [0066.723] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df9d8, Size=0x104) returned 0x2dfb88 [0066.724] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x296018, Size=0x200) returned 0x2e1c08 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2e1030 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2e1c08 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298bf8 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b670 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298bb0 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x29b5e8 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298be0 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2dfb88 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298bc8 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2dfa68 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298c10 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2dfaf8 | out: hHeap=0x240000) returned 1 [0066.726] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x298c28 | out: hHeap=0x240000) returned 1 [0066.726] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c28, Size=0x20) returned 0x2df330 [0066.726] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2df330, Size=0x40) returned 0x276e28 [0066.764] WaitForMultipleObjects (nCount=0x2, lpHandles=0x277c28*=0x138, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x788 Thread: id = 4 os_tid = 0x36c [0061.782] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28c958 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28c958, Size=0x20) returned 0x254370 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254370, Size=0x40) returned 0x276a80 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a80, Size=0x80) returned 0x29b450 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x28ce60 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28c958 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28c958, Size=0x20) returned 0x254370 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x254370, Size=0x40) returned 0x276a80 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x276a80, Size=0x80) returned 0x29b450 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x29b450, Size=0x100) returned 0x28cf68 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c958 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a018 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x28c970 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a018, Size=0x8) returned 0x27a028 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x275f00 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a028, Size=0x10) returned 0x28c988 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x18) returned 0x275f20 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x254370 [0061.783] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28c988, Size=0x20) returned 0x254398 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1c) returned 0x254348 [0061.783] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x16) returned 0x275f40 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1a) returned 0x275930 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xc) returned 0x28c988 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x4) returned 0x27a028 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40) returned 0x276a80 [0061.784] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a028, Size=0x8) returned 0x27a018 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x3c) returned 0x276ac8 [0061.784] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x27a018, Size=0x10) returned 0x28c9a0 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x14) returned 0x275f60 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x18) returned 0x275f80 [0061.784] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x28c9a0, Size=0x20) returned 0x2758e0 [0061.784] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x24) returned 0x277e98 [0061.784] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0061.784] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28ce60 | out: hHeap=0x240000) returned 1 [0061.784] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0061.784] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28cf68 | out: hHeap=0x240000) returned 1 [0061.784] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x275980 [0061.785] EnumServicesStatusExW (in: hSCManager=0x275980, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0061.785] GetLastError () returned 0xea [0061.785] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x28e3d0 [0061.785] EnumServicesStatusExW (in: hSCManager=0x275980, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x28e3d0, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x28e3d0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0061.786] CloseServiceHandle (hSCObject=0x275980) returned 1 [0061.787] lstrlenW (lpString="Appinfo") returned 7 [0061.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0061.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0061.787] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0061.787] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0061.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0061.787] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0061.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0061.787] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0061.787] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0061.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0061.787] lstrlenW (lpString="AudioSrv") returned 8 [0061.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0061.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0061.787] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0061.787] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0061.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0061.787] lstrlenW (lpString="BFE") returned 3 [0061.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0061.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0061.787] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0061.787] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0061.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0061.788] lstrlenW (lpString="CryptSvc") returned 8 [0061.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0061.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0061.788] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0061.788] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0061.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0061.788] lstrlenW (lpString="CscService") returned 10 [0061.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0061.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0061.788] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0061.788] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0061.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0061.788] lstrlenW (lpString="DcomLaunch") returned 10 [0061.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0061.788] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0061.788] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0061.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0061.788] lstrlenW (lpString="Dhcp") returned 4 [0061.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0061.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0061.788] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0061.788] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0061.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0061.788] lstrlenW (lpString="Dnscache") returned 8 [0061.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0061.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0061.789] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0061.789] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0061.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0061.789] lstrlenW (lpString="DPS") returned 3 [0061.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0061.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0061.789] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0061.789] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0061.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0061.789] lstrlenW (lpString="eventlog") returned 8 [0061.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0061.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0061.789] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0061.789] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0061.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0061.789] lstrlenW (lpString="EventSystem") returned 11 [0061.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0061.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0061.789] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0061.789] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0061.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0061.789] lstrlenW (lpString="gpsvc") returned 5 [0061.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0061.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0061.790] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0061.790] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0061.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0061.790] lstrlenW (lpString="iphlpsvc") returned 8 [0061.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0061.790] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0061.790] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0061.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0061.790] lstrlenW (lpString="LanmanServer") returned 12 [0061.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0061.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0061.790] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0061.790] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0061.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0061.790] lstrlenW (lpString="LanmanWorkstation") returned 17 [0061.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0061.790] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0061.790] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0061.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0061.790] lstrlenW (lpString="lmhosts") returned 7 [0061.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0061.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0061.790] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0061.790] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0061.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0061.790] lstrlenW (lpString="MMCSS") returned 5 [0061.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0061.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0061.791] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0061.791] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0061.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0061.791] lstrlenW (lpString="MpsSvc") returned 6 [0061.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0061.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0061.791] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0061.791] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0061.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0061.791] lstrlenW (lpString="Netman") returned 6 [0061.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0061.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0061.791] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0061.791] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0061.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0061.791] lstrlenW (lpString="netprofm") returned 8 [0061.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0061.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0061.791] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0061.791] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0061.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0061.791] lstrlenW (lpString="NlaSvc") returned 6 [0061.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0061.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0061.791] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0061.791] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0061.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0061.792] lstrlenW (lpString="nsi") returned 3 [0061.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0061.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0061.792] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0061.792] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0061.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0061.792] lstrlenW (lpString="PcaSvc") returned 6 [0061.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0061.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0061.792] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0061.792] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0061.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0061.792] lstrlenW (lpString="PlugPlay") returned 8 [0061.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0061.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0061.792] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0061.792] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0061.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0061.792] lstrlenW (lpString="Power") returned 5 [0061.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0061.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0061.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0061.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0061.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0061.792] lstrlenW (lpString="ProfSvc") returned 7 [0061.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0061.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0061.792] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0061.792] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0061.793] lstrlenW (lpString="RpcEptMapper") returned 12 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0061.793] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0061.793] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0061.793] lstrlenW (lpString="RpcSs") returned 5 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0061.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0061.793] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0061.793] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0061.793] lstrlenW (lpString="SamSs") returned 5 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0061.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0061.793] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0061.793] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0061.793] lstrlenW (lpString="Schedule") returned 8 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0061.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0061.793] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0061.793] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0061.793] lstrlenW (lpString="SENS") returned 4 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0061.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0061.793] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0061.793] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0061.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0061.793] lstrlenW (lpString="ShellHWDetection") returned 16 [0061.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0061.794] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0061.794] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0061.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0061.794] lstrlenW (lpString="Spooler") returned 7 [0061.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0061.794] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0061.794] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0061.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0061.794] lstrlenW (lpString="SysMain") returned 7 [0061.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0061.794] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0061.794] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0061.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0061.794] lstrlenW (lpString="Themes") returned 6 [0061.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0061.794] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0061.794] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0061.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0061.794] lstrlenW (lpString="TrkWks") returned 6 [0061.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0061.794] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0061.794] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0061.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0061.794] lstrlenW (lpString="UxSms") returned 5 [0061.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0061.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0061.795] lstrlenW (lpString="WdiServiceHost") returned 14 [0061.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0061.795] lstrlenW (lpString="WdiSystemHost") returned 13 [0061.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0061.795] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0061.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0061.795] lstrlenW (lpString="Winmgmt") returned 7 [0061.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0061.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0061.795] lstrlenW (lpString="WPDBusEnum") returned 10 [0061.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0061.795] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0061.795] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0061.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0061.796] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x28e3d0 | out: hHeap=0x240000) returned 1 [0061.796] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x110 [0061.801] Process32FirstW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0061.801] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0061.802] lstrlenW (lpString="System") returned 6 [0061.802] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0061.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0061.802] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0061.803] lstrlenW (lpString="smss.exe") returned 8 [0061.803] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0061.803] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0061.803] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.804] lstrlenW (lpString="csrss.exe") returned 9 [0061.804] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0061.804] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0061.804] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0061.804] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0061.804] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0061.804] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0061.804] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0061.804] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0061.805] lstrlenW (lpString="wininit.exe") returned 11 [0061.805] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0061.805] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0061.805] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0061.806] lstrlenW (lpString="csrss.exe") returned 9 [0061.806] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0061.806] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0061.806] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0061.806] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0061.806] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0061.806] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0061.806] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0061.807] lstrlenW (lpString="winlogon.exe") returned 12 [0061.807] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0061.807] lstrlenW (lpString="services.exe") returned 12 [0061.807] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0061.808] lstrlenW (lpString="lsass.exe") returned 9 [0061.808] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0061.808] lstrlenW (lpString="lsm.exe") returned 7 [0061.809] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.809] lstrlenW (lpString="svchost.exe") returned 11 [0061.809] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.810] lstrlenW (lpString="svchost.exe") returned 11 [0061.810] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.810] lstrlenW (lpString="svchost.exe") returned 11 [0061.810] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.811] lstrlenW (lpString="svchost.exe") returned 11 [0061.811] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.811] lstrlenW (lpString="svchost.exe") returned 11 [0061.812] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0061.812] lstrlenW (lpString="audiodg.exe") returned 11 [0061.812] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.813] lstrlenW (lpString="svchost.exe") returned 11 [0061.813] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.813] lstrlenW (lpString="svchost.exe") returned 11 [0061.813] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.892] lstrlenW (lpString="dwm.exe") returned 7 [0062.892] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.893] lstrlenW (lpString="explorer.exe") returned 12 [0062.893] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.893] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.893] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.894] lstrlenW (lpString="svchost.exe") returned 11 [0062.894] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0062.894] lstrlenW (lpString="taskhost.exe") returned 12 [0062.894] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0062.895] lstrlenW (lpString="taskeng.exe") returned 11 [0062.895] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0062.895] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0062.895] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0062.896] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0062.896] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0062.896] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0062.896] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0062.897] lstrlenW (lpString="celebration.exe") returned 15 [0062.897] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0062.897] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0062.897] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0062.898] lstrlenW (lpString="americansislamic.exe") returned 20 [0062.898] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0062.898] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0062.899] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0062.899] lstrlenW (lpString="sm-aud.exe") returned 10 [0062.899] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0062.900] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0062.900] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0062.900] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0062.900] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0062.901] lstrlenW (lpString="lap.exe") returned 7 [0062.901] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0062.901] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0062.901] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0062.902] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0062.902] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0062.902] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0062.902] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0062.903] lstrlenW (lpString="completion.exe") returned 14 [0062.903] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0062.903] lstrlenW (lpString="independently.exe") returned 17 [0062.903] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0062.904] lstrlenW (lpString="mel_kinase.exe") returned 14 [0062.904] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0062.904] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0062.904] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0062.905] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0062.905] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0062.905] lstrlenW (lpString="3dftp.exe") returned 9 [0062.905] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0062.906] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0062.906] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0062.906] lstrlenW (lpString="alftp.exe") returned 9 [0062.906] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0062.907] lstrlenW (lpString="barca.exe") returned 9 [0062.907] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0062.907] lstrlenW (lpString="bitkinex.exe") returned 12 [0062.907] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0062.908] lstrlenW (lpString="coreftp.exe") returned 11 [0062.908] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0062.908] lstrlenW (lpString="far.exe") returned 7 [0062.908] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0062.909] lstrlenW (lpString="filezilla.exe") returned 13 [0062.909] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0062.909] lstrlenW (lpString="flashfxp.exe") returned 12 [0062.909] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0062.910] lstrlenW (lpString="fling.exe") returned 9 [0062.910] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0062.910] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0062.911] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0062.911] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0062.911] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0062.912] lstrlenW (lpString="icq.exe") returned 7 [0062.912] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0062.912] lstrlenW (lpString="leechftp.exe") returned 12 [0062.912] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0062.913] lstrlenW (lpString="ncftp.exe") returned 9 [0062.913] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0062.913] lstrlenW (lpString="notepad.exe") returned 11 [0062.913] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0062.914] lstrlenW (lpString="operamail.exe") returned 13 [0062.914] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0062.915] lstrlenW (lpString="pidgin.exe") returned 10 [0062.915] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0062.918] lstrlenW (lpString="scriptftp.exe") returned 13 [0062.918] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0062.919] lstrlenW (lpString="skype.exe") returned 9 [0062.919] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0062.920] lstrlenW (lpString="smartftp.exe") returned 12 [0062.920] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0062.920] lstrlenW (lpString="thunderbird.exe") returned 15 [0062.920] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0062.921] lstrlenW (lpString="totalcmd.exe") returned 12 [0062.921] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0062.923] lstrlenW (lpString="trillian.exe") returned 12 [0062.923] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0062.923] lstrlenW (lpString="webdrive.exe") returned 12 [0062.923] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0062.924] lstrlenW (lpString="whatsapp.exe") returned 12 [0062.924] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0062.925] lstrlenW (lpString="winscp.exe") returned 10 [0062.925] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0062.926] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0062.926] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0062.927] lstrlenW (lpString="active-charge.exe") returned 17 [0062.927] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0062.927] lstrlenW (lpString="accupos.exe") returned 11 [0062.927] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0062.928] lstrlenW (lpString="afr38.exe") returned 9 [0062.928] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0062.929] lstrlenW (lpString="aldelo.exe") returned 10 [0062.929] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0062.930] lstrlenW (lpString="ccv_server.exe") returned 14 [0062.930] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0062.931] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0062.931] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0062.932] lstrlenW (lpString="creditservice.exe") returned 17 [0062.932] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0062.933] lstrlenW (lpString="edcsvr.exe") returned 10 [0062.933] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0062.934] lstrlenW (lpString="fpos.exe") returned 8 [0062.934] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0062.934] lstrlenW (lpString="isspos.exe") returned 10 [0062.934] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0062.935] lstrlenW (lpString="mxslipstream.exe") returned 16 [0062.935] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0062.936] lstrlenW (lpString="omnipos.exe") returned 11 [0062.936] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0062.936] lstrlenW (lpString="spcwin.exe") returned 10 [0062.936] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0062.937] lstrlenW (lpString="spgagentservice.exe") returned 19 [0062.937] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0062.965] lstrlenW (lpString="utg2.exe") returned 8 [0062.965] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0062.966] lstrlenW (lpString="forced-british.exe") returned 18 [0062.967] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0062.967] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0062.967] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0062.968] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0062.969] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0062.969] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0062.969] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0062.970] lstrlenW (lpString="kenya.exe") returned 9 [0062.970] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0062.971] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0062.971] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0062.972] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0062.972] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0062.973] lstrlenW (lpString="taskhost.exe") returned 12 [0062.973] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.974] lstrlenW (lpString="dllhost.exe") returned 11 [0062.974] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.974] lstrlenW (lpString="dllhost.exe") returned 11 [0062.974] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0062.975] lstrlenW (lpString="dmyurb.exe") returned 10 [0062.975] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0062.976] lstrlenW (lpString="cmd.exe") returned 7 [0062.976] Process32NextW (in: hSnapshot=0x110, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0062.977] CloseHandle (hObject=0x110) returned 1 [0062.977] Sleep (dwMilliseconds=0x1f4) [0064.931] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x275a48 [0064.940] EnumServicesStatusExW (in: hSCManager=0x275a48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0064.942] GetLastError () returned 0xea [0064.942] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x2cdc48 [0064.942] EnumServicesStatusExW (in: hSCManager=0x275a48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x2cdc48, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x2cdc48, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0064.943] CloseServiceHandle (hSCObject=0x275a48) returned 1 [0064.943] lstrlenW (lpString="Appinfo") returned 7 [0064.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0064.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0064.943] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0064.943] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0064.944] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0064.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0064.944] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0064.944] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0064.944] lstrlenW (lpString="AudioSrv") returned 8 [0064.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0064.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0064.944] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0064.944] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0064.944] lstrlenW (lpString="BFE") returned 3 [0064.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0064.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0064.944] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0064.944] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0064.944] lstrlenW (lpString="CryptSvc") returned 8 [0064.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0064.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0064.944] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0064.944] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0064.944] lstrlenW (lpString="CscService") returned 10 [0064.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0064.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0064.944] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0064.944] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0064.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0064.944] lstrlenW (lpString="DcomLaunch") returned 10 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0064.945] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0064.945] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0064.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0064.945] lstrlenW (lpString="Dhcp") returned 4 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0064.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0064.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0064.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0064.945] lstrlenW (lpString="Dnscache") returned 8 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0064.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0064.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0064.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0064.945] lstrlenW (lpString="DPS") returned 3 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0064.945] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0064.945] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0064.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0064.945] lstrlenW (lpString="eventlog") returned 8 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0064.945] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0064.945] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0064.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0064.945] lstrlenW (lpString="EventSystem") returned 11 [0064.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0064.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0064.946] lstrlenW (lpString="gpsvc") returned 5 [0064.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0064.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0064.946] lstrlenW (lpString="iphlpsvc") returned 8 [0064.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0064.946] lstrlenW (lpString="LanmanServer") returned 12 [0064.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0064.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0064.946] lstrlenW (lpString="LanmanWorkstation") returned 17 [0064.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0064.946] lstrlenW (lpString="lmhosts") returned 7 [0064.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0064.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0064.946] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0064.946] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0064.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0064.946] lstrlenW (lpString="MMCSS") returned 5 [0064.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0064.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0064.947] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0064.947] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0064.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0064.947] lstrlenW (lpString="MpsSvc") returned 6 [0064.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0064.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0064.947] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0064.947] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0064.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0064.947] lstrlenW (lpString="Netman") returned 6 [0064.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0064.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0064.947] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0064.947] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0064.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0064.947] lstrlenW (lpString="netprofm") returned 8 [0064.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0064.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0064.947] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0064.947] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0064.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0064.947] lstrlenW (lpString="NlaSvc") returned 6 [0064.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0064.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0064.947] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0064.947] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0064.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0064.947] lstrlenW (lpString="nsi") returned 3 [0064.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0064.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0064.948] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0064.948] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0064.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0064.948] lstrlenW (lpString="PcaSvc") returned 6 [0064.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0064.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0064.948] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0064.948] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0064.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0064.948] lstrlenW (lpString="PlugPlay") returned 8 [0064.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0064.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0064.948] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0064.948] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0064.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0064.948] lstrlenW (lpString="Power") returned 5 [0064.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0064.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0064.948] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0064.948] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0064.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0064.948] lstrlenW (lpString="ProfSvc") returned 7 [0064.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0064.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0064.948] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0064.948] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0064.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0064.949] lstrlenW (lpString="RpcEptMapper") returned 12 [0064.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0064.949] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0064.949] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0064.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0064.949] lstrlenW (lpString="RpcSs") returned 5 [0064.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0064.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0064.949] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0064.949] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0064.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0064.949] lstrlenW (lpString="SamSs") returned 5 [0064.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0064.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0064.949] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0064.949] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0064.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0064.949] lstrlenW (lpString="Schedule") returned 8 [0064.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0064.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0064.949] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0064.949] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0064.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0064.949] lstrlenW (lpString="SENS") returned 4 [0064.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0064.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0064.949] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0064.949] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0064.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0064.949] lstrlenW (lpString="ShellHWDetection") returned 16 [0064.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0064.950] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0064.950] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0064.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0064.950] lstrlenW (lpString="Spooler") returned 7 [0064.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0064.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0064.950] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0064.950] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0064.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0064.950] lstrlenW (lpString="SysMain") returned 7 [0064.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0064.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0064.950] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0064.950] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0064.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0064.950] lstrlenW (lpString="Themes") returned 6 [0064.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0064.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0064.950] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0064.950] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0064.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0064.950] lstrlenW (lpString="TrkWks") returned 6 [0064.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0064.951] lstrlenW (lpString="UxSms") returned 5 [0064.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0064.951] lstrlenW (lpString="WdiServiceHost") returned 14 [0064.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0064.951] lstrlenW (lpString="WdiSystemHost") returned 13 [0064.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0064.951] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0064.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0064.951] lstrlenW (lpString="Winmgmt") returned 7 [0064.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0064.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0064.951] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0064.951] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0064.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0064.952] lstrlenW (lpString="WPDBusEnum") returned 10 [0064.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0064.952] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0064.952] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0064.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0064.952] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cdc48 | out: hHeap=0x240000) returned 1 [0064.952] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0065.290] Process32FirstW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.291] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0065.291] lstrlenW (lpString="System") returned 6 [0065.291] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0065.291] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0065.291] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0065.291] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0065.291] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0065.291] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0065.292] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0065.292] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0065.292] lstrlenW (lpString="smss.exe") returned 8 [0065.292] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0065.292] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0065.292] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.293] lstrlenW (lpString="csrss.exe") returned 9 [0065.293] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0065.293] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0065.293] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0065.293] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0065.293] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0065.293] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0065.293] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0065.293] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0065.293] lstrlenW (lpString="wininit.exe") returned 11 [0065.293] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0065.294] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0065.294] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0065.294] lstrlenW (lpString="csrss.exe") returned 9 [0065.294] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0065.294] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0065.294] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0065.294] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0065.294] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0065.294] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0065.294] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0065.295] lstrlenW (lpString="winlogon.exe") returned 12 [0065.295] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0065.296] lstrlenW (lpString="services.exe") returned 12 [0065.296] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0065.296] lstrlenW (lpString="lsass.exe") returned 9 [0065.296] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0065.297] lstrlenW (lpString="lsm.exe") returned 7 [0065.297] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.297] lstrlenW (lpString="svchost.exe") returned 11 [0065.297] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.298] lstrlenW (lpString="svchost.exe") returned 11 [0065.298] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.298] lstrlenW (lpString="svchost.exe") returned 11 [0065.299] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.299] lstrlenW (lpString="svchost.exe") returned 11 [0065.299] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.300] lstrlenW (lpString="svchost.exe") returned 11 [0065.300] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0065.300] lstrlenW (lpString="audiodg.exe") returned 11 [0065.300] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.301] lstrlenW (lpString="svchost.exe") returned 11 [0065.301] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.301] lstrlenW (lpString="svchost.exe") returned 11 [0065.301] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0065.302] lstrlenW (lpString="dwm.exe") returned 7 [0065.302] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0065.302] lstrlenW (lpString="explorer.exe") returned 12 [0065.302] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0065.303] lstrlenW (lpString="spoolsv.exe") returned 11 [0065.303] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0065.303] lstrlenW (lpString="svchost.exe") returned 11 [0065.303] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.304] lstrlenW (lpString="taskhost.exe") returned 12 [0065.304] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0065.304] lstrlenW (lpString="taskeng.exe") returned 11 [0065.304] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0065.305] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0065.305] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0065.306] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0065.306] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0065.306] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0065.306] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0065.307] lstrlenW (lpString="celebration.exe") returned 15 [0065.307] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0065.308] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0065.308] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0065.308] lstrlenW (lpString="americansislamic.exe") returned 20 [0065.308] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0065.309] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0065.309] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0065.310] lstrlenW (lpString="sm-aud.exe") returned 10 [0065.310] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0065.310] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0065.310] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0065.311] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0065.311] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0065.312] lstrlenW (lpString="lap.exe") returned 7 [0065.312] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0065.312] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0065.312] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0065.313] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0065.313] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0065.314] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0065.314] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0065.314] lstrlenW (lpString="completion.exe") returned 14 [0065.314] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0065.315] lstrlenW (lpString="independently.exe") returned 17 [0065.315] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0065.315] lstrlenW (lpString="mel_kinase.exe") returned 14 [0065.315] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0065.316] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0065.316] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0065.317] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0065.317] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0065.318] lstrlenW (lpString="3dftp.exe") returned 9 [0065.318] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0065.318] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0065.318] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0065.319] lstrlenW (lpString="alftp.exe") returned 9 [0065.319] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0065.319] lstrlenW (lpString="barca.exe") returned 9 [0065.319] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0065.320] lstrlenW (lpString="bitkinex.exe") returned 12 [0065.320] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0065.321] lstrlenW (lpString="coreftp.exe") returned 11 [0065.321] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0065.321] lstrlenW (lpString="far.exe") returned 7 [0065.321] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0065.322] lstrlenW (lpString="filezilla.exe") returned 13 [0065.322] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0065.322] lstrlenW (lpString="flashfxp.exe") returned 12 [0065.322] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0065.323] lstrlenW (lpString="fling.exe") returned 9 [0065.323] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0065.324] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0065.324] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0065.403] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0065.403] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0065.411] lstrlenW (lpString="icq.exe") returned 7 [0065.413] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0065.612] lstrlenW (lpString="leechftp.exe") returned 12 [0065.612] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0065.612] lstrlenW (lpString="ncftp.exe") returned 9 [0065.612] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0065.613] lstrlenW (lpString="notepad.exe") returned 11 [0065.613] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0065.614] lstrlenW (lpString="operamail.exe") returned 13 [0065.614] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0065.615] lstrlenW (lpString="pidgin.exe") returned 10 [0065.615] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0065.615] lstrlenW (lpString="scriptftp.exe") returned 13 [0065.615] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0065.616] lstrlenW (lpString="skype.exe") returned 9 [0065.617] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0065.617] lstrlenW (lpString="smartftp.exe") returned 12 [0065.618] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0065.618] lstrlenW (lpString="thunderbird.exe") returned 15 [0065.618] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0065.619] lstrlenW (lpString="totalcmd.exe") returned 12 [0065.619] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0065.620] lstrlenW (lpString="trillian.exe") returned 12 [0065.620] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0065.622] lstrlenW (lpString="webdrive.exe") returned 12 [0065.622] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0065.623] lstrlenW (lpString="whatsapp.exe") returned 12 [0065.623] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0065.624] lstrlenW (lpString="winscp.exe") returned 10 [0065.624] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0065.625] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0065.625] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0065.625] lstrlenW (lpString="active-charge.exe") returned 17 [0065.625] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0065.626] lstrlenW (lpString="accupos.exe") returned 11 [0065.626] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0065.627] lstrlenW (lpString="afr38.exe") returned 9 [0065.627] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0065.628] lstrlenW (lpString="aldelo.exe") returned 10 [0065.628] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0065.629] lstrlenW (lpString="ccv_server.exe") returned 14 [0065.629] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0065.630] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0065.630] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0065.631] lstrlenW (lpString="creditservice.exe") returned 17 [0065.631] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0065.632] lstrlenW (lpString="edcsvr.exe") returned 10 [0065.632] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0065.632] lstrlenW (lpString="fpos.exe") returned 8 [0065.632] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0065.633] lstrlenW (lpString="isspos.exe") returned 10 [0065.633] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0065.634] lstrlenW (lpString="mxslipstream.exe") returned 16 [0065.634] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0065.635] lstrlenW (lpString="omnipos.exe") returned 11 [0065.635] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0065.635] lstrlenW (lpString="spcwin.exe") returned 10 [0065.635] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0065.636] lstrlenW (lpString="spgagentservice.exe") returned 19 [0065.636] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0065.637] lstrlenW (lpString="utg2.exe") returned 8 [0065.637] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0065.638] lstrlenW (lpString="forced-british.exe") returned 18 [0065.638] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0065.639] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0065.639] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0065.639] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0065.639] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0065.640] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0065.640] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0065.641] lstrlenW (lpString="kenya.exe") returned 9 [0065.641] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.642] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0065.642] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0065.642] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0065.642] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0065.643] lstrlenW (lpString="taskhost.exe") returned 12 [0065.643] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.644] lstrlenW (lpString="dllhost.exe") returned 11 [0065.644] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0065.645] lstrlenW (lpString="dllhost.exe") returned 11 [0065.645] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0065.646] lstrlenW (lpString="dmyurb.exe") returned 10 [0065.646] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0065.647] lstrlenW (lpString="cmd.exe") returned 7 [0065.647] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0065.647] lstrlenW (lpString="conhost.exe") returned 11 [0065.647] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0065.648] lstrlenW (lpString="mode.com") returned 8 [0065.648] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0065.648] CloseHandle (hObject=0x120) returned 1 [0065.648] Sleep (dwMilliseconds=0x1f4) [0066.153] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x275b60 [0066.153] EnumServicesStatusExW (in: hSCManager=0x275b60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0066.154] GetLastError () returned 0xea [0066.154] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x2cdaf8 [0066.154] EnumServicesStatusExW (in: hSCManager=0x275b60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x2cdaf8, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x2cdaf8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0066.155] CloseServiceHandle (hSCObject=0x275b60) returned 1 [0066.155] lstrlenW (lpString="Appinfo") returned 7 [0066.155] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0066.155] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0066.155] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0066.155] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0066.155] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0066.155] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0066.155] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0066.155] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0066.155] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0066.155] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0066.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0066.156] lstrlenW (lpString="AudioSrv") returned 8 [0066.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0066.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0066.156] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0066.156] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0066.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0066.156] lstrlenW (lpString="BFE") returned 3 [0066.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0066.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0066.156] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0066.156] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0066.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0066.156] lstrlenW (lpString="CryptSvc") returned 8 [0066.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0066.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0066.156] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0066.156] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0066.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0066.156] lstrlenW (lpString="CscService") returned 10 [0066.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0066.156] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0066.156] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0066.156] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0066.156] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0066.156] lstrlenW (lpString="DcomLaunch") returned 10 [0066.156] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0066.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0066.157] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0066.157] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0066.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0066.157] lstrlenW (lpString="Dhcp") returned 4 [0066.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0066.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0066.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0066.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0066.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0066.157] lstrlenW (lpString="Dnscache") returned 8 [0066.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0066.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0066.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0066.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0066.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0066.157] lstrlenW (lpString="DPS") returned 3 [0066.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0066.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0066.157] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0066.157] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0066.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0066.157] lstrlenW (lpString="eventlog") returned 8 [0066.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0066.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0066.157] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0066.157] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0066.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0066.158] lstrlenW (lpString="EventSystem") returned 11 [0066.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0066.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0066.158] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0066.158] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0066.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0066.158] lstrlenW (lpString="gpsvc") returned 5 [0066.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0066.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0066.158] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0066.158] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0066.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0066.158] lstrlenW (lpString="iphlpsvc") returned 8 [0066.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0066.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0066.158] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0066.158] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0066.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0066.158] lstrlenW (lpString="LanmanServer") returned 12 [0066.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0066.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0066.158] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0066.158] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0066.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0066.158] lstrlenW (lpString="LanmanWorkstation") returned 17 [0066.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0066.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0066.159] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0066.159] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0066.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0066.159] lstrlenW (lpString="lmhosts") returned 7 [0066.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0066.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0066.159] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0066.159] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0066.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0066.159] lstrlenW (lpString="MMCSS") returned 5 [0066.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0066.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0066.159] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0066.159] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0066.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0066.159] lstrlenW (lpString="MpsSvc") returned 6 [0066.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0066.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0066.159] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0066.159] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0066.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0066.159] lstrlenW (lpString="Netman") returned 6 [0066.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0066.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0066.159] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0066.159] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0066.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0066.160] lstrlenW (lpString="netprofm") returned 8 [0066.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0066.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0066.160] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0066.160] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0066.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0066.160] lstrlenW (lpString="NlaSvc") returned 6 [0066.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0066.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0066.160] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0066.160] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0066.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0066.160] lstrlenW (lpString="nsi") returned 3 [0066.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0066.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0066.160] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0066.160] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0066.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0066.160] lstrlenW (lpString="PcaSvc") returned 6 [0066.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0066.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0066.161] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0066.161] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0066.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0066.161] lstrlenW (lpString="PlugPlay") returned 8 [0066.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0066.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0066.161] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0066.161] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0066.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0066.161] lstrlenW (lpString="Power") returned 5 [0066.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0066.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0066.161] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0066.161] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0066.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0066.161] lstrlenW (lpString="ProfSvc") returned 7 [0066.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0066.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0066.161] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0066.161] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0066.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0066.162] lstrlenW (lpString="RpcEptMapper") returned 12 [0066.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0066.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0066.162] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0066.162] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0066.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0066.162] lstrlenW (lpString="RpcSs") returned 5 [0066.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0066.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0066.162] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0066.162] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0066.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0066.162] lstrlenW (lpString="SamSs") returned 5 [0066.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0066.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0066.162] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0066.162] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0066.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0066.162] lstrlenW (lpString="Schedule") returned 8 [0066.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0066.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0066.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0066.162] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0066.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0066.163] lstrlenW (lpString="SENS") returned 4 [0066.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0066.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0066.163] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0066.163] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0066.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0066.163] lstrlenW (lpString="ShellHWDetection") returned 16 [0066.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0066.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0066.163] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0066.163] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0066.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0066.163] lstrlenW (lpString="Spooler") returned 7 [0066.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0066.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0066.163] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0066.163] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0066.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0066.163] lstrlenW (lpString="SysMain") returned 7 [0066.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0066.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0066.163] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0066.164] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0066.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0066.164] lstrlenW (lpString="Themes") returned 6 [0066.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0066.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0066.164] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0066.164] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0066.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0066.164] lstrlenW (lpString="TrkWks") returned 6 [0066.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0066.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0066.164] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0066.164] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0066.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0066.164] lstrlenW (lpString="UxSms") returned 5 [0066.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0066.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0066.164] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0066.164] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0066.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0066.164] lstrlenW (lpString="WdiServiceHost") returned 14 [0066.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0066.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0066.165] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0066.165] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0066.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0066.165] lstrlenW (lpString="WdiSystemHost") returned 13 [0066.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0066.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0066.165] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0066.165] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0066.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0066.165] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0066.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0066.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0066.165] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0066.165] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0066.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0066.165] lstrlenW (lpString="Winmgmt") returned 7 [0066.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0066.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0066.165] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0066.165] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0066.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0066.166] lstrlenW (lpString="WPDBusEnum") returned 10 [0066.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0066.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0066.166] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0066.166] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0066.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0066.166] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2cdaf8 | out: hHeap=0x240000) returned 1 [0066.166] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0066.171] Process32FirstW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.174] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0066.174] lstrlenW (lpString="System") returned 6 [0066.174] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0066.174] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0066.174] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0066.175] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0066.175] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0066.175] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0066.175] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0066.175] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0066.175] lstrlenW (lpString="smss.exe") returned 8 [0066.175] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0066.175] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0066.175] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0066.176] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.176] lstrlenW (lpString="csrss.exe") returned 9 [0066.176] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0066.176] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0066.176] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0066.177] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0066.177] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0066.177] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0066.177] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0066.177] lstrlenW (lpString="wininit.exe") returned 11 [0066.177] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0066.177] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0066.177] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0066.177] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0066.178] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0066.178] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0066.178] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0066.178] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0066.178] lstrlenW (lpString="csrss.exe") returned 9 [0066.178] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0066.178] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0066.178] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0066.178] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0066.179] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0066.179] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0066.179] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0066.179] lstrlenW (lpString="winlogon.exe") returned 12 [0066.179] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0066.180] lstrlenW (lpString="services.exe") returned 12 [0066.180] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0066.181] lstrlenW (lpString="lsass.exe") returned 9 [0066.181] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0066.182] lstrlenW (lpString="lsm.exe") returned 7 [0066.182] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.183] lstrlenW (lpString="svchost.exe") returned 11 [0066.183] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.184] lstrlenW (lpString="svchost.exe") returned 11 [0066.184] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.185] lstrlenW (lpString="svchost.exe") returned 11 [0066.185] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.186] lstrlenW (lpString="svchost.exe") returned 11 [0066.186] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.187] lstrlenW (lpString="svchost.exe") returned 11 [0066.187] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0066.187] lstrlenW (lpString="audiodg.exe") returned 11 [0066.187] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.188] lstrlenW (lpString="svchost.exe") returned 11 [0066.188] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.189] lstrlenW (lpString="svchost.exe") returned 11 [0066.189] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0066.190] lstrlenW (lpString="dwm.exe") returned 7 [0066.190] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0066.190] lstrlenW (lpString="explorer.exe") returned 12 [0066.191] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0066.191] lstrlenW (lpString="spoolsv.exe") returned 11 [0066.191] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0066.192] lstrlenW (lpString="svchost.exe") returned 11 [0066.192] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0066.193] lstrlenW (lpString="taskhost.exe") returned 12 [0066.193] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0066.194] lstrlenW (lpString="taskeng.exe") returned 11 [0066.194] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0066.194] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0066.195] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0066.195] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0066.195] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0066.196] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0066.196] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0066.197] lstrlenW (lpString="celebration.exe") returned 15 [0066.197] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0066.197] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0066.197] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0066.210] lstrlenW (lpString="americansislamic.exe") returned 20 [0066.210] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0066.212] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0066.212] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0066.215] lstrlenW (lpString="sm-aud.exe") returned 10 [0066.215] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0066.357] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0066.357] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0066.358] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0066.358] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0066.359] lstrlenW (lpString="lap.exe") returned 7 [0066.359] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0066.360] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0066.360] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0066.360] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0066.360] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0066.361] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0066.361] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0066.362] lstrlenW (lpString="completion.exe") returned 14 [0066.362] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0066.363] lstrlenW (lpString="independently.exe") returned 17 [0066.363] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0066.364] lstrlenW (lpString="mel_kinase.exe") returned 14 [0066.364] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0066.365] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0066.365] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0066.366] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0066.366] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0066.367] lstrlenW (lpString="3dftp.exe") returned 9 [0066.367] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0066.368] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0066.368] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0066.369] lstrlenW (lpString="alftp.exe") returned 9 [0066.369] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0066.370] lstrlenW (lpString="barca.exe") returned 9 [0066.370] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0066.371] lstrlenW (lpString="bitkinex.exe") returned 12 [0066.371] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0066.372] lstrlenW (lpString="coreftp.exe") returned 11 [0066.372] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0066.373] lstrlenW (lpString="far.exe") returned 7 [0066.373] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0066.373] lstrlenW (lpString="filezilla.exe") returned 13 [0066.373] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0066.374] lstrlenW (lpString="flashfxp.exe") returned 12 [0066.374] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0066.375] lstrlenW (lpString="fling.exe") returned 9 [0066.375] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0066.376] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0066.376] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0066.377] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0066.377] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0066.377] lstrlenW (lpString="icq.exe") returned 7 [0066.377] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0066.378] lstrlenW (lpString="leechftp.exe") returned 12 [0066.378] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0066.379] lstrlenW (lpString="ncftp.exe") returned 9 [0066.379] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0066.381] lstrlenW (lpString="notepad.exe") returned 11 [0066.381] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0066.382] lstrlenW (lpString="operamail.exe") returned 13 [0066.383] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0066.384] lstrlenW (lpString="pidgin.exe") returned 10 [0066.384] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0066.388] lstrlenW (lpString="scriptftp.exe") returned 13 [0066.388] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0066.455] lstrlenW (lpString="skype.exe") returned 9 [0066.455] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0066.457] lstrlenW (lpString="smartftp.exe") returned 12 [0066.457] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0066.458] lstrlenW (lpString="thunderbird.exe") returned 15 [0066.458] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0066.460] lstrlenW (lpString="totalcmd.exe") returned 12 [0066.460] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0066.461] lstrlenW (lpString="trillian.exe") returned 12 [0066.461] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0066.463] lstrlenW (lpString="webdrive.exe") returned 12 [0066.463] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0066.484] lstrlenW (lpString="whatsapp.exe") returned 12 [0066.484] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0066.485] lstrlenW (lpString="winscp.exe") returned 10 [0066.485] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0066.487] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0066.487] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0066.488] lstrlenW (lpString="active-charge.exe") returned 17 [0066.488] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0066.489] lstrlenW (lpString="accupos.exe") returned 11 [0066.490] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0066.491] lstrlenW (lpString="afr38.exe") returned 9 [0066.491] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0066.492] lstrlenW (lpString="aldelo.exe") returned 10 [0066.492] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0066.494] lstrlenW (lpString="ccv_server.exe") returned 14 [0066.494] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0066.495] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0066.495] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0066.496] lstrlenW (lpString="creditservice.exe") returned 17 [0066.496] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0066.498] lstrlenW (lpString="edcsvr.exe") returned 10 [0066.498] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0066.499] lstrlenW (lpString="fpos.exe") returned 8 [0066.499] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0066.500] lstrlenW (lpString="isspos.exe") returned 10 [0066.500] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0066.501] lstrlenW (lpString="mxslipstream.exe") returned 16 [0066.502] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0066.502] lstrlenW (lpString="omnipos.exe") returned 11 [0066.502] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0066.504] lstrlenW (lpString="spcwin.exe") returned 10 [0066.504] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0066.505] lstrlenW (lpString="spgagentservice.exe") returned 19 [0066.505] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0066.506] lstrlenW (lpString="utg2.exe") returned 8 [0066.506] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0066.508] lstrlenW (lpString="forced-british.exe") returned 18 [0066.508] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0066.509] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0066.509] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0066.735] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0066.735] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0066.736] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0066.736] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0066.738] lstrlenW (lpString="kenya.exe") returned 9 [0066.738] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0066.739] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0066.739] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0066.740] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0066.740] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0066.741] lstrlenW (lpString="taskhost.exe") returned 12 [0066.741] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0066.742] lstrlenW (lpString="dllhost.exe") returned 11 [0066.742] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0066.744] lstrlenW (lpString="dllhost.exe") returned 11 [0066.744] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0066.745] lstrlenW (lpString="dmyurb.exe") returned 10 [0066.745] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0066.746] lstrlenW (lpString="cmd.exe") returned 7 [0066.746] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0066.747] lstrlenW (lpString="conhost.exe") returned 11 [0066.747] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0066.748] lstrlenW (lpString="mode.com") returned 8 [0066.748] Process32NextW (in: hSnapshot=0x120, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0066.749] CloseHandle (hObject=0x120) returned 1 [0066.749] Sleep (dwMilliseconds=0x1f4) [0067.791] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df7e0 [0067.801] EnumServicesStatusExW (in: hSCManager=0x2df7e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0067.813] GetLastError () returned 0xea [0067.813] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x299008 [0067.826] EnumServicesStatusExW (in: hSCManager=0x2df7e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x299008, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x299008, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0067.828] CloseServiceHandle (hSCObject=0x2df7e0) returned 1 [0067.828] lstrlenW (lpString="Appinfo") returned 7 [0067.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0067.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0067.828] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0067.828] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0067.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0067.828] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0067.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0067.828] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0067.828] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0067.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0067.828] lstrlenW (lpString="AudioSrv") returned 8 [0067.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0067.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0067.829] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0067.829] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0067.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0067.829] lstrlenW (lpString="BFE") returned 3 [0067.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0067.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0067.829] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0067.829] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0067.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0067.829] lstrlenW (lpString="CryptSvc") returned 8 [0067.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0067.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0067.829] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0067.829] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0067.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0067.829] lstrlenW (lpString="CscService") returned 10 [0067.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0067.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0067.829] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0067.829] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0067.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0067.829] lstrlenW (lpString="DcomLaunch") returned 10 [0067.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0067.829] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0067.829] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0067.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0067.830] lstrlenW (lpString="Dhcp") returned 4 [0067.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0067.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0067.830] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0067.830] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0067.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0067.830] lstrlenW (lpString="Dnscache") returned 8 [0067.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0067.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0067.830] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0067.830] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0067.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0067.830] lstrlenW (lpString="DPS") returned 3 [0067.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0067.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0067.830] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0067.830] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0067.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0067.830] lstrlenW (lpString="eventlog") returned 8 [0067.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0067.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0067.830] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0067.830] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0067.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0067.830] lstrlenW (lpString="EventSystem") returned 11 [0067.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0067.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0067.831] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0067.831] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0067.831] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0067.831] lstrlenW (lpString="gpsvc") returned 5 [0067.831] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0067.831] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0067.831] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0067.833] lstrlenW (lpString="iphlpsvc") returned 8 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0067.833] lstrlenW (lpString="LanmanServer") returned 12 [0067.833] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0067.833] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0067.833] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0067.833] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0067.833] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0067.834] lstrlenW (lpString="LanmanWorkstation") returned 17 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0067.834] lstrlenW (lpString="lmhosts") returned 7 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0067.834] lstrlenW (lpString="MMCSS") returned 5 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0067.834] lstrlenW (lpString="MpsSvc") returned 6 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0067.834] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0067.834] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0067.834] lstrlenW (lpString="Netman") returned 6 [0067.834] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0067.834] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0067.834] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0067.835] lstrlenW (lpString="netprofm") returned 8 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0067.835] lstrlenW (lpString="NlaSvc") returned 6 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0067.835] lstrlenW (lpString="nsi") returned 3 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0067.835] lstrlenW (lpString="PcaSvc") returned 6 [0067.835] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0067.835] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0067.835] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0067.835] lstrlenW (lpString="PlugPlay") returned 8 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0067.836] lstrlenW (lpString="Power") returned 5 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0067.836] lstrlenW (lpString="ProfSvc") returned 7 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0067.836] lstrlenW (lpString="RpcEptMapper") returned 12 [0067.836] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.836] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0067.836] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0067.836] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0067.836] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0067.836] lstrlenW (lpString="RpcSs") returned 5 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0067.837] lstrlenW (lpString="SamSs") returned 5 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0067.837] lstrlenW (lpString="Schedule") returned 8 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0067.837] lstrlenW (lpString="SENS") returned 4 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0067.837] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0067.837] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0067.837] lstrlenW (lpString="ShellHWDetection") returned 16 [0067.837] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.837] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0067.837] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0067.838] lstrlenW (lpString="Spooler") returned 7 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0067.838] lstrlenW (lpString="SysMain") returned 7 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0067.838] lstrlenW (lpString="Themes") returned 6 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0067.838] lstrlenW (lpString="TrkWks") returned 6 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0067.838] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0067.838] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0067.838] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0067.838] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0067.838] lstrlenW (lpString="UxSms") returned 5 [0067.838] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0067.839] lstrlenW (lpString="WdiServiceHost") returned 14 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0067.839] lstrlenW (lpString="WdiSystemHost") returned 13 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0067.839] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0067.839] lstrlenW (lpString="Winmgmt") returned 7 [0067.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0067.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0067.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0067.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0067.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0067.840] lstrlenW (lpString="WPDBusEnum") returned 10 [0067.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0067.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0067.840] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0067.840] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0067.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0067.840] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x299008 | out: hHeap=0x240000) returned 1 [0067.840] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c8 [0067.845] Process32FirstW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.845] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0067.846] lstrlenW (lpString="System") returned 6 [0067.846] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0067.846] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0067.846] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0067.847] lstrlenW (lpString="smss.exe") returned 8 [0067.847] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0067.847] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0067.847] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.848] lstrlenW (lpString="csrss.exe") returned 9 [0067.848] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0067.848] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0067.848] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0067.848] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0067.848] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0067.848] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0067.848] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0067.848] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0067.849] lstrlenW (lpString="wininit.exe") returned 11 [0067.849] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0067.849] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0067.849] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0067.850] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0067.850] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0067.850] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0067.850] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0067.850] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0067.850] lstrlenW (lpString="csrss.exe") returned 9 [0067.850] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0067.850] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0067.850] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0067.850] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0067.851] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0067.851] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0067.851] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0067.852] lstrlenW (lpString="winlogon.exe") returned 12 [0067.852] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0067.853] lstrlenW (lpString="services.exe") returned 12 [0067.853] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0067.853] lstrlenW (lpString="lsass.exe") returned 9 [0067.853] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0067.854] lstrlenW (lpString="lsm.exe") returned 7 [0067.854] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.855] lstrlenW (lpString="svchost.exe") returned 11 [0067.855] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.855] lstrlenW (lpString="svchost.exe") returned 11 [0067.856] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.856] lstrlenW (lpString="svchost.exe") returned 11 [0067.856] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.857] lstrlenW (lpString="svchost.exe") returned 11 [0067.857] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.858] lstrlenW (lpString="svchost.exe") returned 11 [0067.858] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0067.858] lstrlenW (lpString="audiodg.exe") returned 11 [0067.858] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.859] lstrlenW (lpString="svchost.exe") returned 11 [0067.859] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.860] lstrlenW (lpString="svchost.exe") returned 11 [0067.860] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0067.861] lstrlenW (lpString="dwm.exe") returned 7 [0067.861] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0067.861] lstrlenW (lpString="explorer.exe") returned 12 [0067.861] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0067.862] lstrlenW (lpString="spoolsv.exe") returned 11 [0067.862] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0067.863] lstrlenW (lpString="svchost.exe") returned 11 [0067.863] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0067.863] lstrlenW (lpString="taskhost.exe") returned 12 [0067.863] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0067.864] lstrlenW (lpString="taskeng.exe") returned 11 [0067.864] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0067.865] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0067.865] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0067.866] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0067.866] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0067.866] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0067.866] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0068.319] lstrlenW (lpString="celebration.exe") returned 15 [0068.319] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0068.320] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0068.320] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0068.321] lstrlenW (lpString="americansislamic.exe") returned 20 [0068.321] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0068.321] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0068.321] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0068.322] lstrlenW (lpString="sm-aud.exe") returned 10 [0068.322] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0068.322] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0068.322] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0068.323] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0068.323] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0068.323] lstrlenW (lpString="lap.exe") returned 7 [0068.323] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0068.324] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0068.324] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0068.325] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0068.325] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0068.326] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0068.326] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0068.326] lstrlenW (lpString="completion.exe") returned 14 [0068.326] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0068.327] lstrlenW (lpString="independently.exe") returned 17 [0068.327] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0068.328] lstrlenW (lpString="mel_kinase.exe") returned 14 [0068.328] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0068.329] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0068.329] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0068.329] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0068.329] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0068.330] lstrlenW (lpString="3dftp.exe") returned 9 [0068.330] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0068.331] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0068.331] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0068.331] lstrlenW (lpString="alftp.exe") returned 9 [0068.331] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0068.332] lstrlenW (lpString="barca.exe") returned 9 [0068.332] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0068.333] lstrlenW (lpString="bitkinex.exe") returned 12 [0068.333] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0068.333] lstrlenW (lpString="coreftp.exe") returned 11 [0068.333] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0068.334] lstrlenW (lpString="far.exe") returned 7 [0068.334] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0068.334] lstrlenW (lpString="filezilla.exe") returned 13 [0068.334] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0068.335] lstrlenW (lpString="flashfxp.exe") returned 12 [0068.335] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0068.336] lstrlenW (lpString="fling.exe") returned 9 [0068.336] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0068.336] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0068.336] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0068.337] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0068.337] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0068.338] lstrlenW (lpString="icq.exe") returned 7 [0068.338] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0068.338] lstrlenW (lpString="leechftp.exe") returned 12 [0068.338] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0068.339] lstrlenW (lpString="ncftp.exe") returned 9 [0068.339] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0068.340] lstrlenW (lpString="notepad.exe") returned 11 [0068.340] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0068.341] lstrlenW (lpString="operamail.exe") returned 13 [0068.341] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0068.342] lstrlenW (lpString="pidgin.exe") returned 10 [0068.342] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0068.342] lstrlenW (lpString="scriptftp.exe") returned 13 [0068.342] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0068.343] lstrlenW (lpString="skype.exe") returned 9 [0068.343] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0068.344] lstrlenW (lpString="smartftp.exe") returned 12 [0068.344] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0068.345] lstrlenW (lpString="thunderbird.exe") returned 15 [0068.345] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0068.346] lstrlenW (lpString="totalcmd.exe") returned 12 [0068.346] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0068.347] lstrlenW (lpString="trillian.exe") returned 12 [0068.347] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0068.347] lstrlenW (lpString="webdrive.exe") returned 12 [0068.347] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0068.348] lstrlenW (lpString="whatsapp.exe") returned 12 [0068.348] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0068.349] lstrlenW (lpString="winscp.exe") returned 10 [0068.349] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0068.350] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0068.350] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0068.351] lstrlenW (lpString="active-charge.exe") returned 17 [0068.351] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0068.351] lstrlenW (lpString="accupos.exe") returned 11 [0068.351] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0068.352] lstrlenW (lpString="afr38.exe") returned 9 [0068.352] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0068.353] lstrlenW (lpString="aldelo.exe") returned 10 [0068.353] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0068.354] lstrlenW (lpString="ccv_server.exe") returned 14 [0068.354] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0068.354] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0068.354] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0068.355] lstrlenW (lpString="creditservice.exe") returned 17 [0068.355] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0068.356] lstrlenW (lpString="edcsvr.exe") returned 10 [0068.356] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0068.357] lstrlenW (lpString="fpos.exe") returned 8 [0068.357] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0068.358] lstrlenW (lpString="isspos.exe") returned 10 [0068.358] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0068.358] lstrlenW (lpString="mxslipstream.exe") returned 16 [0068.359] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0068.359] lstrlenW (lpString="omnipos.exe") returned 11 [0068.359] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0068.360] lstrlenW (lpString="spcwin.exe") returned 10 [0068.360] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0068.361] lstrlenW (lpString="spgagentservice.exe") returned 19 [0068.361] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0068.361] lstrlenW (lpString="utg2.exe") returned 8 [0068.361] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0068.362] lstrlenW (lpString="forced-british.exe") returned 18 [0068.362] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0068.363] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0068.363] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0068.363] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0068.363] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0068.364] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0068.364] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0068.365] lstrlenW (lpString="kenya.exe") returned 9 [0068.365] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0068.365] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0068.365] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0069.593] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0069.593] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0069.594] lstrlenW (lpString="taskhost.exe") returned 12 [0069.594] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.595] lstrlenW (lpString="dllhost.exe") returned 11 [0069.595] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0069.596] lstrlenW (lpString="dllhost.exe") returned 11 [0069.596] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0069.596] lstrlenW (lpString="dmyurb.exe") returned 10 [0069.596] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0069.597] lstrlenW (lpString="cmd.exe") returned 7 [0069.597] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0069.598] lstrlenW (lpString="conhost.exe") returned 11 [0069.598] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0069.598] lstrlenW (lpString="vssadmin.exe") returned 12 [0069.598] Process32NextW (in: hSnapshot=0x1c8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0069.599] CloseHandle (hObject=0x1c8) returned 1 [0069.599] Sleep (dwMilliseconds=0x1f4) [0070.130] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0070.131] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0070.131] GetLastError () returned 0xea [0070.131] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x32caa30 [0070.131] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x32caa30, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x32caa30, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0070.132] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0070.133] lstrlenW (lpString="Appinfo") returned 7 [0070.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0070.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0070.133] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0070.133] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0070.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0070.133] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0070.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0070.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0070.133] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0070.133] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0070.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0070.133] lstrlenW (lpString="AudioSrv") returned 8 [0070.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0070.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0070.133] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0070.133] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0070.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0070.133] lstrlenW (lpString="BFE") returned 3 [0070.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0070.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0070.133] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0070.134] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0070.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0070.134] lstrlenW (lpString="CryptSvc") returned 8 [0070.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0070.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0070.134] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0070.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0070.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0070.134] lstrlenW (lpString="CscService") returned 10 [0070.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0070.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0070.134] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0070.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0070.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0070.134] lstrlenW (lpString="DcomLaunch") returned 10 [0070.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0070.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0070.134] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0070.134] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0070.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0070.134] lstrlenW (lpString="Dhcp") returned 4 [0070.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0070.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0070.134] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0070.134] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0070.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0070.134] lstrlenW (lpString="Dnscache") returned 8 [0070.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0070.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0070.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0070.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0070.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0070.135] lstrlenW (lpString="DPS") returned 3 [0070.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0070.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0070.135] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0070.135] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0070.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0070.135] lstrlenW (lpString="eventlog") returned 8 [0070.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0070.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0070.135] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0070.135] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0070.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0070.135] lstrlenW (lpString="EventSystem") returned 11 [0070.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0070.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0070.135] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0070.135] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0070.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0070.135] lstrlenW (lpString="gpsvc") returned 5 [0070.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0070.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0070.135] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0070.136] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0070.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0070.136] lstrlenW (lpString="iphlpsvc") returned 8 [0070.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0070.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0070.136] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0070.136] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0070.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0070.136] lstrlenW (lpString="LanmanServer") returned 12 [0070.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0070.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0070.136] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0070.136] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0070.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0070.136] lstrlenW (lpString="LanmanWorkstation") returned 17 [0070.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0070.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0070.136] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0070.136] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0070.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0070.136] lstrlenW (lpString="lmhosts") returned 7 [0070.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0070.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0070.136] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0070.136] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0070.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0070.137] lstrlenW (lpString="MMCSS") returned 5 [0070.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0070.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0070.137] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0070.137] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0070.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0070.137] lstrlenW (lpString="MpsSvc") returned 6 [0070.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0070.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0070.137] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0070.137] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0070.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0070.137] lstrlenW (lpString="Netman") returned 6 [0070.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0070.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0070.137] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0070.137] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0070.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0070.137] lstrlenW (lpString="netprofm") returned 8 [0070.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0070.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0070.137] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0070.137] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0070.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0070.137] lstrlenW (lpString="NlaSvc") returned 6 [0070.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0070.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0070.138] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0070.138] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0070.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0070.138] lstrlenW (lpString="nsi") returned 3 [0070.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0070.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0070.138] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0070.138] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0070.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0070.138] lstrlenW (lpString="PcaSvc") returned 6 [0070.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0070.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0070.138] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0070.138] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0070.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0070.138] lstrlenW (lpString="PlugPlay") returned 8 [0070.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0070.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0070.138] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0070.138] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0070.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0070.138] lstrlenW (lpString="Power") returned 5 [0070.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0070.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0070.138] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0070.138] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0070.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0070.139] lstrlenW (lpString="ProfSvc") returned 7 [0070.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0070.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0070.139] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0070.139] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0070.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0070.139] lstrlenW (lpString="RpcEptMapper") returned 12 [0070.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0070.139] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0070.139] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0070.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0070.139] lstrlenW (lpString="RpcSs") returned 5 [0070.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0070.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0070.139] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0070.139] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0070.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0070.139] lstrlenW (lpString="SamSs") returned 5 [0070.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0070.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0070.139] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0070.139] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0070.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0070.139] lstrlenW (lpString="Schedule") returned 8 [0070.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0070.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0070.139] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0070.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0070.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0070.140] lstrlenW (lpString="SENS") returned 4 [0070.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0070.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0070.140] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0070.140] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0070.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0070.140] lstrlenW (lpString="ShellHWDetection") returned 16 [0070.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0070.140] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0070.140] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0070.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0070.140] lstrlenW (lpString="Spooler") returned 7 [0070.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0070.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0070.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0070.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0070.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0070.140] lstrlenW (lpString="SysMain") returned 7 [0070.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0070.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0070.140] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0070.140] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0070.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0070.140] lstrlenW (lpString="Themes") returned 6 [0070.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0070.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0070.141] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0070.141] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0070.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0070.141] lstrlenW (lpString="TrkWks") returned 6 [0070.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0070.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0070.141] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0070.141] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0070.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0070.141] lstrlenW (lpString="UxSms") returned 5 [0070.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0070.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0070.141] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0070.141] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0070.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0070.141] lstrlenW (lpString="WdiServiceHost") returned 14 [0070.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0070.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0070.141] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0070.141] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0070.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0070.141] lstrlenW (lpString="WdiSystemHost") returned 13 [0070.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0070.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0070.141] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0070.142] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0070.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0070.142] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0070.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0070.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0070.142] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0070.142] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0070.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0070.142] lstrlenW (lpString="Winmgmt") returned 7 [0070.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0070.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0070.142] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0070.142] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0070.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0070.142] lstrlenW (lpString="WPDBusEnum") returned 10 [0070.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0070.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0070.142] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0070.142] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0070.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0070.142] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32caa30 | out: hHeap=0x240000) returned 1 [0070.142] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0070.155] Process32FirstW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.156] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0070.156] lstrlenW (lpString="System") returned 6 [0070.156] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0070.156] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0070.156] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0070.156] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0070.157] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0070.157] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0070.157] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0070.157] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0070.157] lstrlenW (lpString="smss.exe") returned 8 [0070.157] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0070.157] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0070.157] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0070.157] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0070.157] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0070.157] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0070.158] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0070.158] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.158] lstrlenW (lpString="csrss.exe") returned 9 [0070.158] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0070.158] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0070.158] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0070.158] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0070.158] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0070.158] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0070.158] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0070.158] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0070.159] lstrlenW (lpString="wininit.exe") returned 11 [0070.159] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0070.159] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0070.159] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.160] lstrlenW (lpString="csrss.exe") returned 9 [0070.160] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0070.160] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0070.160] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0070.160] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0070.160] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0070.160] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0070.160] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0070.161] lstrlenW (lpString="winlogon.exe") returned 12 [0070.161] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0070.162] lstrlenW (lpString="services.exe") returned 12 [0070.162] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0070.163] lstrlenW (lpString="lsass.exe") returned 9 [0070.163] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0070.164] lstrlenW (lpString="lsm.exe") returned 7 [0070.164] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.164] lstrlenW (lpString="svchost.exe") returned 11 [0070.164] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.165] lstrlenW (lpString="svchost.exe") returned 11 [0070.165] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.166] lstrlenW (lpString="svchost.exe") returned 11 [0070.166] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.166] lstrlenW (lpString="svchost.exe") returned 11 [0070.166] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.167] lstrlenW (lpString="svchost.exe") returned 11 [0070.167] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0070.168] lstrlenW (lpString="audiodg.exe") returned 11 [0070.168] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.168] lstrlenW (lpString="svchost.exe") returned 11 [0070.169] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.170] lstrlenW (lpString="svchost.exe") returned 11 [0070.170] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0070.170] lstrlenW (lpString="dwm.exe") returned 7 [0070.170] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0070.171] lstrlenW (lpString="explorer.exe") returned 12 [0070.171] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0070.172] lstrlenW (lpString="spoolsv.exe") returned 11 [0070.172] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.172] lstrlenW (lpString="svchost.exe") returned 11 [0070.172] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0070.173] lstrlenW (lpString="taskhost.exe") returned 12 [0070.173] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0070.174] lstrlenW (lpString="taskeng.exe") returned 11 [0070.174] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0070.174] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0070.174] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0070.175] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0070.175] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0070.222] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0070.222] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0070.223] lstrlenW (lpString="celebration.exe") returned 15 [0070.223] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0070.224] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0070.224] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0070.224] lstrlenW (lpString="americansislamic.exe") returned 20 [0070.225] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0070.225] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0070.225] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0070.226] lstrlenW (lpString="sm-aud.exe") returned 10 [0070.226] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0070.227] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0070.227] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0070.227] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0070.227] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0070.228] lstrlenW (lpString="lap.exe") returned 7 [0070.228] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0070.229] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0070.229] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0070.230] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0070.230] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0070.231] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0070.231] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0070.231] lstrlenW (lpString="completion.exe") returned 14 [0070.231] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0070.233] lstrlenW (lpString="independently.exe") returned 17 [0070.234] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0070.234] lstrlenW (lpString="mel_kinase.exe") returned 14 [0070.234] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0070.235] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0070.235] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0070.236] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0070.236] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0070.236] lstrlenW (lpString="3dftp.exe") returned 9 [0070.236] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0070.238] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0070.238] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0070.239] lstrlenW (lpString="alftp.exe") returned 9 [0070.239] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0070.239] lstrlenW (lpString="barca.exe") returned 9 [0070.239] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0070.240] lstrlenW (lpString="bitkinex.exe") returned 12 [0070.240] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0070.241] lstrlenW (lpString="coreftp.exe") returned 11 [0070.241] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0070.241] lstrlenW (lpString="far.exe") returned 7 [0070.242] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0070.242] lstrlenW (lpString="filezilla.exe") returned 13 [0070.242] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0070.244] lstrlenW (lpString="flashfxp.exe") returned 12 [0070.244] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0070.245] lstrlenW (lpString="fling.exe") returned 9 [0070.245] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0070.245] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0070.245] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0070.246] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0070.246] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0070.247] lstrlenW (lpString="icq.exe") returned 7 [0070.247] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0070.247] lstrlenW (lpString="leechftp.exe") returned 12 [0070.247] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0070.248] lstrlenW (lpString="ncftp.exe") returned 9 [0070.248] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0070.249] lstrlenW (lpString="notepad.exe") returned 11 [0070.249] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0070.250] lstrlenW (lpString="operamail.exe") returned 13 [0070.250] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0070.251] lstrlenW (lpString="pidgin.exe") returned 10 [0070.251] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0070.252] lstrlenW (lpString="scriptftp.exe") returned 13 [0070.252] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0070.253] lstrlenW (lpString="skype.exe") returned 9 [0070.253] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0070.255] lstrlenW (lpString="smartftp.exe") returned 12 [0070.255] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0070.256] lstrlenW (lpString="thunderbird.exe") returned 15 [0070.256] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0070.258] lstrlenW (lpString="totalcmd.exe") returned 12 [0070.258] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0070.259] lstrlenW (lpString="trillian.exe") returned 12 [0070.259] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0070.260] lstrlenW (lpString="webdrive.exe") returned 12 [0070.260] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0070.261] lstrlenW (lpString="whatsapp.exe") returned 12 [0070.261] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0070.262] lstrlenW (lpString="winscp.exe") returned 10 [0070.262] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0070.263] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0070.263] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0070.264] lstrlenW (lpString="active-charge.exe") returned 17 [0070.264] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0070.265] lstrlenW (lpString="accupos.exe") returned 11 [0070.265] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0070.266] lstrlenW (lpString="afr38.exe") returned 9 [0070.266] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0070.267] lstrlenW (lpString="aldelo.exe") returned 10 [0070.267] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0070.268] lstrlenW (lpString="ccv_server.exe") returned 14 [0070.268] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0070.269] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0070.269] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0070.299] lstrlenW (lpString="creditservice.exe") returned 17 [0070.299] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0070.301] lstrlenW (lpString="edcsvr.exe") returned 10 [0070.301] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0070.301] lstrlenW (lpString="fpos.exe") returned 8 [0070.302] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0070.302] lstrlenW (lpString="isspos.exe") returned 10 [0070.302] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0070.303] lstrlenW (lpString="mxslipstream.exe") returned 16 [0070.303] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0070.304] lstrlenW (lpString="omnipos.exe") returned 11 [0070.304] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0070.305] lstrlenW (lpString="spcwin.exe") returned 10 [0070.305] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0070.306] lstrlenW (lpString="spgagentservice.exe") returned 19 [0070.306] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0070.307] lstrlenW (lpString="utg2.exe") returned 8 [0070.307] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0070.308] lstrlenW (lpString="forced-british.exe") returned 18 [0070.308] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0070.309] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0070.309] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0070.310] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0070.310] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0070.311] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0070.311] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0070.312] lstrlenW (lpString="kenya.exe") returned 9 [0070.312] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.312] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0070.313] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.313] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0070.313] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0070.314] lstrlenW (lpString="taskhost.exe") returned 12 [0070.314] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0070.316] lstrlenW (lpString="dmyurb.exe") returned 10 [0070.316] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0070.318] lstrlenW (lpString="cmd.exe") returned 7 [0070.318] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.319] lstrlenW (lpString="conhost.exe") returned 11 [0070.319] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0070.320] lstrlenW (lpString="vssadmin.exe") returned 12 [0070.320] Process32NextW (in: hSnapshot=0x210, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0070.321] CloseHandle (hObject=0x210) returned 1 [0070.321] Sleep (dwMilliseconds=0x1f4) [0071.044] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0071.044] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0071.045] GetLastError () returned 0xea [0071.045] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x293ff8 [0071.045] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0071.045] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0071.046] lstrlenW (lpString="Appinfo") returned 7 [0071.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0071.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0071.046] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0071.046] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0071.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0071.046] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0071.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0071.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0071.046] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0071.046] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0071.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0071.046] lstrlenW (lpString="AudioSrv") returned 8 [0071.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0071.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0071.046] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0071.046] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0071.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0071.046] lstrlenW (lpString="BFE") returned 3 [0071.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0071.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0071.047] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0071.047] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0071.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0071.047] lstrlenW (lpString="CryptSvc") returned 8 [0071.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0071.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0071.047] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0071.047] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0071.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0071.047] lstrlenW (lpString="CscService") returned 10 [0071.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0071.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0071.047] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0071.047] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0071.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0071.047] lstrlenW (lpString="DcomLaunch") returned 10 [0071.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0071.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0071.047] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0071.047] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0071.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0071.047] lstrlenW (lpString="Dhcp") returned 4 [0071.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0071.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0071.047] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0071.047] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0071.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0071.048] lstrlenW (lpString="Dnscache") returned 8 [0071.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0071.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0071.048] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0071.048] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0071.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0071.048] lstrlenW (lpString="DPS") returned 3 [0071.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0071.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0071.048] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0071.048] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0071.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0071.048] lstrlenW (lpString="eventlog") returned 8 [0071.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0071.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0071.048] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0071.048] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0071.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0071.048] lstrlenW (lpString="EventSystem") returned 11 [0071.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0071.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0071.048] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0071.048] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0071.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0071.049] lstrlenW (lpString="gpsvc") returned 5 [0071.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0071.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0071.049] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0071.049] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0071.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0071.049] lstrlenW (lpString="iphlpsvc") returned 8 [0071.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0071.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0071.049] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0071.049] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0071.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0071.049] lstrlenW (lpString="LanmanServer") returned 12 [0071.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0071.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0071.049] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0071.049] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0071.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0071.049] lstrlenW (lpString="LanmanWorkstation") returned 17 [0071.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0071.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0071.049] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0071.049] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0071.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0071.049] lstrlenW (lpString="lmhosts") returned 7 [0071.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0071.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0071.050] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0071.050] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0071.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0071.050] lstrlenW (lpString="MMCSS") returned 5 [0071.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0071.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0071.050] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0071.050] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0071.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0071.050] lstrlenW (lpString="MpsSvc") returned 6 [0071.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0071.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0071.050] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0071.050] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0071.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0071.050] lstrlenW (lpString="Netman") returned 6 [0071.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0071.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0071.050] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0071.050] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0071.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0071.050] lstrlenW (lpString="netprofm") returned 8 [0071.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0071.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0071.050] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0071.051] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0071.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0071.051] lstrlenW (lpString="NlaSvc") returned 6 [0071.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0071.051] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0071.051] lstrlenW (lpString="nsi") returned 3 [0071.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0071.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0071.051] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0071.051] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0071.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0071.051] lstrlenW (lpString="PcaSvc") returned 6 [0071.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0071.051] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0071.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0071.051] lstrlenW (lpString="PlugPlay") returned 8 [0071.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0071.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0071.051] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0071.051] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0071.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0071.051] lstrlenW (lpString="Power") returned 5 [0071.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0071.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0071.052] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0071.052] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0071.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0071.052] lstrlenW (lpString="ProfSvc") returned 7 [0071.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0071.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0071.052] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0071.052] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0071.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0071.052] lstrlenW (lpString="RpcEptMapper") returned 12 [0071.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0071.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0071.052] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0071.052] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0071.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0071.052] lstrlenW (lpString="RpcSs") returned 5 [0071.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0071.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0071.052] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0071.052] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0071.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0071.052] lstrlenW (lpString="SamSs") returned 5 [0071.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0071.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0071.052] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0071.053] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0071.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0071.053] lstrlenW (lpString="Schedule") returned 8 [0071.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0071.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0071.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0071.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0071.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0071.053] lstrlenW (lpString="SENS") returned 4 [0071.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0071.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0071.053] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0071.053] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0071.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0071.053] lstrlenW (lpString="ShellHWDetection") returned 16 [0071.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0071.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0071.053] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0071.053] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0071.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0071.053] lstrlenW (lpString="Spooler") returned 7 [0071.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0071.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0071.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0071.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0071.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0071.053] lstrlenW (lpString="SysMain") returned 7 [0071.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0071.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0071.054] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0071.054] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0071.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0071.054] lstrlenW (lpString="Themes") returned 6 [0071.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0071.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0071.054] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0071.054] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0071.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0071.054] lstrlenW (lpString="TrkWks") returned 6 [0071.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0071.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0071.054] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0071.054] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0071.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0071.054] lstrlenW (lpString="UxSms") returned 5 [0071.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0071.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0071.054] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0071.054] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0071.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0071.054] lstrlenW (lpString="WdiServiceHost") returned 14 [0071.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0071.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0071.055] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0071.055] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0071.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0071.055] lstrlenW (lpString="WdiSystemHost") returned 13 [0071.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0071.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0071.055] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0071.055] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0071.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0071.055] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0071.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0071.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0071.055] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0071.055] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0071.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0071.055] lstrlenW (lpString="Winmgmt") returned 7 [0071.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0071.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0071.055] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0071.055] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0071.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0071.055] lstrlenW (lpString="WPDBusEnum") returned 10 [0071.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0071.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0071.056] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0071.056] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0071.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0071.056] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0071.056] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ec [0071.061] Process32FirstW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.061] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0071.062] lstrlenW (lpString="System") returned 6 [0071.062] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0071.062] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0071.062] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0071.063] lstrlenW (lpString="smss.exe") returned 8 [0071.063] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0071.063] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0071.063] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.064] lstrlenW (lpString="csrss.exe") returned 9 [0071.064] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0071.064] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0071.064] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0071.064] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0071.064] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0071.064] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0071.064] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0071.064] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0071.065] lstrlenW (lpString="wininit.exe") returned 11 [0071.066] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0071.066] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0071.066] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0071.066] lstrlenW (lpString="csrss.exe") returned 9 [0071.066] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0071.067] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0071.067] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0071.067] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0071.067] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0071.067] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0071.067] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0071.067] lstrlenW (lpString="winlogon.exe") returned 12 [0071.067] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0071.068] lstrlenW (lpString="services.exe") returned 12 [0071.068] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0071.069] lstrlenW (lpString="lsass.exe") returned 9 [0071.069] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0071.069] lstrlenW (lpString="lsm.exe") returned 7 [0071.069] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.070] lstrlenW (lpString="svchost.exe") returned 11 [0071.070] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.070] lstrlenW (lpString="svchost.exe") returned 11 [0071.070] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.071] lstrlenW (lpString="svchost.exe") returned 11 [0071.071] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.071] lstrlenW (lpString="svchost.exe") returned 11 [0071.071] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.072] lstrlenW (lpString="svchost.exe") returned 11 [0071.072] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0071.072] lstrlenW (lpString="audiodg.exe") returned 11 [0071.072] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.073] lstrlenW (lpString="svchost.exe") returned 11 [0071.073] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.073] lstrlenW (lpString="svchost.exe") returned 11 [0071.074] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0071.074] lstrlenW (lpString="dwm.exe") returned 7 [0071.074] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0071.075] lstrlenW (lpString="explorer.exe") returned 12 [0071.075] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0071.075] lstrlenW (lpString="spoolsv.exe") returned 11 [0071.075] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0071.076] lstrlenW (lpString="svchost.exe") returned 11 [0071.076] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0071.077] lstrlenW (lpString="taskhost.exe") returned 12 [0071.077] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0071.078] lstrlenW (lpString="taskeng.exe") returned 11 [0071.078] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0071.078] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0071.078] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0071.079] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0071.079] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0071.080] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0071.080] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0071.080] lstrlenW (lpString="celebration.exe") returned 15 [0071.080] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0071.399] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0071.399] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0071.400] lstrlenW (lpString="americansislamic.exe") returned 20 [0071.400] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0071.401] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0071.401] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0071.401] lstrlenW (lpString="sm-aud.exe") returned 10 [0071.401] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0071.402] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0071.402] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0071.403] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0071.403] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0071.403] lstrlenW (lpString="lap.exe") returned 7 [0071.404] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0071.404] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0071.404] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0071.405] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0071.405] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0071.406] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0071.406] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0071.406] lstrlenW (lpString="completion.exe") returned 14 [0071.406] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0071.407] lstrlenW (lpString="independently.exe") returned 17 [0071.407] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0071.408] lstrlenW (lpString="mel_kinase.exe") returned 14 [0071.408] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0071.409] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0071.409] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0071.409] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0071.409] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0071.410] lstrlenW (lpString="3dftp.exe") returned 9 [0071.410] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0071.410] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0071.410] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0071.411] lstrlenW (lpString="alftp.exe") returned 9 [0071.411] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0071.412] lstrlenW (lpString="barca.exe") returned 9 [0071.412] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0071.412] lstrlenW (lpString="bitkinex.exe") returned 12 [0071.412] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0071.413] lstrlenW (lpString="coreftp.exe") returned 11 [0071.413] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0071.414] lstrlenW (lpString="far.exe") returned 7 [0071.414] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0071.414] lstrlenW (lpString="filezilla.exe") returned 13 [0071.414] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0071.415] lstrlenW (lpString="flashfxp.exe") returned 12 [0071.415] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0071.416] lstrlenW (lpString="fling.exe") returned 9 [0071.416] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0071.416] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0071.416] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0071.417] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0071.417] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0071.417] lstrlenW (lpString="icq.exe") returned 7 [0071.417] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0071.418] lstrlenW (lpString="leechftp.exe") returned 12 [0071.418] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0071.419] lstrlenW (lpString="ncftp.exe") returned 9 [0071.419] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0071.420] lstrlenW (lpString="notepad.exe") returned 11 [0071.420] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0071.421] lstrlenW (lpString="operamail.exe") returned 13 [0071.421] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0071.422] lstrlenW (lpString="pidgin.exe") returned 10 [0071.422] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0071.423] lstrlenW (lpString="scriptftp.exe") returned 13 [0071.423] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0071.424] lstrlenW (lpString="skype.exe") returned 9 [0071.424] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0071.425] lstrlenW (lpString="smartftp.exe") returned 12 [0071.426] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0071.427] lstrlenW (lpString="thunderbird.exe") returned 15 [0071.427] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0071.428] lstrlenW (lpString="totalcmd.exe") returned 12 [0071.428] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0071.429] lstrlenW (lpString="trillian.exe") returned 12 [0071.429] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0071.430] lstrlenW (lpString="webdrive.exe") returned 12 [0071.430] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0071.431] lstrlenW (lpString="whatsapp.exe") returned 12 [0071.431] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0071.432] lstrlenW (lpString="winscp.exe") returned 10 [0071.432] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0071.433] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0071.433] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0071.434] lstrlenW (lpString="active-charge.exe") returned 17 [0071.434] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0071.435] lstrlenW (lpString="accupos.exe") returned 11 [0071.435] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0071.436] lstrlenW (lpString="afr38.exe") returned 9 [0071.436] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0071.437] lstrlenW (lpString="aldelo.exe") returned 10 [0071.437] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0071.438] lstrlenW (lpString="ccv_server.exe") returned 14 [0071.438] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0071.439] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0071.439] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0071.658] lstrlenW (lpString="creditservice.exe") returned 17 [0071.658] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0071.659] lstrlenW (lpString="edcsvr.exe") returned 10 [0071.659] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0071.660] lstrlenW (lpString="fpos.exe") returned 8 [0071.660] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0071.660] lstrlenW (lpString="isspos.exe") returned 10 [0071.660] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0071.661] lstrlenW (lpString="mxslipstream.exe") returned 16 [0071.661] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0071.662] lstrlenW (lpString="omnipos.exe") returned 11 [0071.662] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0071.662] lstrlenW (lpString="spcwin.exe") returned 10 [0071.662] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0071.663] lstrlenW (lpString="spgagentservice.exe") returned 19 [0071.663] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0071.664] lstrlenW (lpString="utg2.exe") returned 8 [0071.664] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0071.665] lstrlenW (lpString="forced-british.exe") returned 18 [0071.665] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0071.665] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0071.665] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0071.666] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0071.666] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0071.667] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0071.667] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0071.668] lstrlenW (lpString="kenya.exe") returned 9 [0071.668] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0071.668] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0071.668] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0071.669] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0071.669] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0071.670] lstrlenW (lpString="taskhost.exe") returned 12 [0071.670] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0071.671] lstrlenW (lpString="dmyurb.exe") returned 10 [0071.671] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0071.671] lstrlenW (lpString="cmd.exe") returned 7 [0071.671] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0071.672] lstrlenW (lpString="conhost.exe") returned 11 [0071.672] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0071.673] lstrlenW (lpString="vssadmin.exe") returned 12 [0071.673] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0071.673] CloseHandle (hObject=0x1ec) returned 1 [0071.673] Sleep (dwMilliseconds=0x1f4) [0072.287] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0072.287] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0072.287] GetLastError () returned 0xea [0072.287] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x11e4) returned 0x293ff8 [0072.288] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x11e4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0072.289] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0072.289] lstrlenW (lpString="Appinfo") returned 7 [0072.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0072.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0072.289] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0072.289] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0072.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0072.289] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0072.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0072.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0072.289] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0072.289] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0072.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0072.290] lstrlenW (lpString="AudioSrv") returned 8 [0072.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0072.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0072.290] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0072.290] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0072.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0072.290] lstrlenW (lpString="BFE") returned 3 [0072.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0072.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0072.290] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0072.290] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0072.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0072.290] lstrlenW (lpString="CryptSvc") returned 8 [0072.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0072.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0072.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0072.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0072.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0072.290] lstrlenW (lpString="CscService") returned 10 [0072.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0072.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0072.290] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0072.290] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0072.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0072.290] lstrlenW (lpString="DcomLaunch") returned 10 [0072.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0072.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0072.290] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0072.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0072.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0072.291] lstrlenW (lpString="Dhcp") returned 4 [0072.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0072.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0072.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0072.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0072.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0072.291] lstrlenW (lpString="Dnscache") returned 8 [0072.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0072.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0072.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0072.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0072.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0072.291] lstrlenW (lpString="DPS") returned 3 [0072.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0072.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0072.291] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0072.291] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0072.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0072.291] lstrlenW (lpString="eventlog") returned 8 [0072.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0072.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0072.291] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0072.291] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0072.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0072.291] lstrlenW (lpString="EventSystem") returned 11 [0072.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0072.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0072.292] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0072.292] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0072.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0072.292] lstrlenW (lpString="gpsvc") returned 5 [0072.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0072.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0072.292] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0072.292] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0072.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0072.292] lstrlenW (lpString="iphlpsvc") returned 8 [0072.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0072.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0072.292] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0072.292] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0072.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0072.294] lstrlenW (lpString="LanmanServer") returned 12 [0072.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0072.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0072.294] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0072.294] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0072.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0072.294] lstrlenW (lpString="LanmanWorkstation") returned 17 [0072.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0072.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0072.294] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0072.294] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0072.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0072.294] lstrlenW (lpString="lmhosts") returned 7 [0072.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0072.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0072.294] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0072.294] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0072.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0072.294] lstrlenW (lpString="MMCSS") returned 5 [0072.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0072.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0072.294] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0072.294] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0072.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0072.294] lstrlenW (lpString="MpsSvc") returned 6 [0072.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0072.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0072.294] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0072.295] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0072.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0072.295] lstrlenW (lpString="Netman") returned 6 [0072.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0072.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0072.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0072.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0072.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0072.295] lstrlenW (lpString="netprofm") returned 8 [0072.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0072.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0072.295] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0072.295] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0072.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0072.295] lstrlenW (lpString="NlaSvc") returned 6 [0072.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0072.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0072.295] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0072.295] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0072.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0072.295] lstrlenW (lpString="nsi") returned 3 [0072.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0072.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0072.295] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0072.295] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0072.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0072.295] lstrlenW (lpString="PcaSvc") returned 6 [0072.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0072.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0072.296] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0072.296] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0072.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0072.296] lstrlenW (lpString="PlugPlay") returned 8 [0072.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0072.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0072.296] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0072.296] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0072.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0072.296] lstrlenW (lpString="Power") returned 5 [0072.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0072.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0072.296] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0072.296] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0072.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0072.296] lstrlenW (lpString="ProfSvc") returned 7 [0072.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0072.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0072.296] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0072.296] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0072.296] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0072.296] lstrlenW (lpString="RpcEptMapper") returned 12 [0072.296] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0072.296] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0072.297] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0072.297] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0072.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0072.297] lstrlenW (lpString="RpcSs") returned 5 [0072.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0072.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0072.297] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0072.297] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0072.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0072.297] lstrlenW (lpString="SamSs") returned 5 [0072.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0072.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0072.297] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0072.297] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0072.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0072.297] lstrlenW (lpString="Schedule") returned 8 [0072.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0072.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0072.297] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0072.297] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0072.297] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0072.297] lstrlenW (lpString="SENS") returned 4 [0072.297] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0072.297] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0072.297] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0072.297] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0072.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0072.298] lstrlenW (lpString="ShellHWDetection") returned 16 [0072.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0072.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0072.298] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0072.298] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0072.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0072.298] lstrlenW (lpString="Spooler") returned 7 [0072.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0072.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0072.298] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0072.298] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0072.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0072.298] lstrlenW (lpString="SysMain") returned 7 [0072.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0072.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0072.298] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0072.298] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0072.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0072.298] lstrlenW (lpString="Themes") returned 6 [0072.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0072.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0072.298] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0072.298] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0072.298] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0072.298] lstrlenW (lpString="TrkWks") returned 6 [0072.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0072.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0072.299] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0072.299] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0072.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0072.299] lstrlenW (lpString="UxSms") returned 5 [0072.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0072.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0072.299] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0072.299] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0072.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0072.299] lstrlenW (lpString="WdiServiceHost") returned 14 [0072.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0072.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0072.299] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0072.299] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0072.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0072.299] lstrlenW (lpString="WdiSystemHost") returned 13 [0072.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0072.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0072.299] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0072.299] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0072.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0072.299] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0072.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0072.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0072.299] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0072.299] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0072.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0072.300] lstrlenW (lpString="Winmgmt") returned 7 [0072.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0072.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0072.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0072.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0072.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0072.300] lstrlenW (lpString="WPDBusEnum") returned 10 [0072.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0072.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0072.300] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0072.300] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0072.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0072.300] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0072.300] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ec [0072.305] Process32FirstW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.306] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0072.306] lstrlenW (lpString="System") returned 6 [0072.306] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0072.307] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0072.307] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0072.307] lstrlenW (lpString="smss.exe") returned 8 [0072.307] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0072.308] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0072.308] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.309] lstrlenW (lpString="csrss.exe") returned 9 [0072.309] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0072.309] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0072.309] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0072.309] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0072.309] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0072.309] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0072.309] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0072.309] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0072.310] lstrlenW (lpString="wininit.exe") returned 11 [0072.310] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0072.310] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0072.310] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0072.311] lstrlenW (lpString="csrss.exe") returned 9 [0072.311] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0072.311] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0072.311] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0072.311] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0072.311] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0072.311] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0072.311] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0072.312] lstrlenW (lpString="winlogon.exe") returned 12 [0072.312] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0072.313] lstrlenW (lpString="services.exe") returned 12 [0072.313] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0072.326] lstrlenW (lpString="lsass.exe") returned 9 [0072.326] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0072.327] lstrlenW (lpString="lsm.exe") returned 7 [0072.327] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.328] lstrlenW (lpString="svchost.exe") returned 11 [0072.328] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.328] lstrlenW (lpString="svchost.exe") returned 11 [0072.328] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.329] lstrlenW (lpString="svchost.exe") returned 11 [0072.329] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.330] lstrlenW (lpString="svchost.exe") returned 11 [0072.330] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.330] lstrlenW (lpString="svchost.exe") returned 11 [0072.330] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0072.331] lstrlenW (lpString="audiodg.exe") returned 11 [0072.331] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.332] lstrlenW (lpString="svchost.exe") returned 11 [0072.332] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.332] lstrlenW (lpString="svchost.exe") returned 11 [0072.332] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0072.333] lstrlenW (lpString="dwm.exe") returned 7 [0072.333] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0072.334] lstrlenW (lpString="explorer.exe") returned 12 [0072.334] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0072.334] lstrlenW (lpString="spoolsv.exe") returned 11 [0072.335] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0072.335] lstrlenW (lpString="svchost.exe") returned 11 [0072.335] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0072.336] lstrlenW (lpString="taskhost.exe") returned 12 [0072.336] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0072.337] lstrlenW (lpString="taskeng.exe") returned 11 [0072.337] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0072.337] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0072.338] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0072.338] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0072.338] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0072.339] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0072.339] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0072.340] lstrlenW (lpString="celebration.exe") returned 15 [0072.340] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0072.340] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0072.340] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0072.341] lstrlenW (lpString="americansislamic.exe") returned 20 [0072.341] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0072.342] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0072.342] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0072.343] lstrlenW (lpString="sm-aud.exe") returned 10 [0072.343] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0072.343] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0072.343] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0072.344] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0072.509] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0072.509] lstrlenW (lpString="lap.exe") returned 7 [0072.509] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0072.510] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0072.510] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0072.511] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0072.511] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0072.511] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0072.511] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0072.512] lstrlenW (lpString="completion.exe") returned 14 [0072.512] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0072.513] lstrlenW (lpString="independently.exe") returned 17 [0072.513] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0072.514] lstrlenW (lpString="mel_kinase.exe") returned 14 [0072.514] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0072.514] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0072.514] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0072.515] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0072.515] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0072.516] lstrlenW (lpString="3dftp.exe") returned 9 [0072.516] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0072.516] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0072.516] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0072.517] lstrlenW (lpString="alftp.exe") returned 9 [0072.517] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0072.518] lstrlenW (lpString="barca.exe") returned 9 [0072.518] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0072.518] lstrlenW (lpString="bitkinex.exe") returned 12 [0072.518] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0072.519] lstrlenW (lpString="coreftp.exe") returned 11 [0072.519] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0072.520] lstrlenW (lpString="far.exe") returned 7 [0072.520] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0072.521] lstrlenW (lpString="filezilla.exe") returned 13 [0072.521] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0072.521] lstrlenW (lpString="flashfxp.exe") returned 12 [0072.521] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0072.522] lstrlenW (lpString="fling.exe") returned 9 [0072.522] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0072.523] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0072.523] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0072.524] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0072.524] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0072.524] lstrlenW (lpString="icq.exe") returned 7 [0072.524] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0072.525] lstrlenW (lpString="leechftp.exe") returned 12 [0072.525] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0072.526] lstrlenW (lpString="ncftp.exe") returned 9 [0072.526] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0072.527] lstrlenW (lpString="notepad.exe") returned 11 [0072.527] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0072.528] lstrlenW (lpString="operamail.exe") returned 13 [0072.528] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0072.529] lstrlenW (lpString="pidgin.exe") returned 10 [0072.529] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0072.530] lstrlenW (lpString="scriptftp.exe") returned 13 [0072.530] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0072.531] lstrlenW (lpString="skype.exe") returned 9 [0072.532] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0072.533] lstrlenW (lpString="smartftp.exe") returned 12 [0072.533] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0072.534] lstrlenW (lpString="thunderbird.exe") returned 15 [0072.534] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0072.535] lstrlenW (lpString="totalcmd.exe") returned 12 [0072.535] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0072.536] lstrlenW (lpString="trillian.exe") returned 12 [0072.536] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0072.537] lstrlenW (lpString="webdrive.exe") returned 12 [0072.537] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0072.538] lstrlenW (lpString="whatsapp.exe") returned 12 [0072.538] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0072.539] lstrlenW (lpString="winscp.exe") returned 10 [0072.539] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0072.540] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0072.540] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0072.541] lstrlenW (lpString="active-charge.exe") returned 17 [0072.541] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0072.542] lstrlenW (lpString="accupos.exe") returned 11 [0072.542] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0072.543] lstrlenW (lpString="afr38.exe") returned 9 [0072.543] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0072.544] lstrlenW (lpString="aldelo.exe") returned 10 [0072.544] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0072.545] lstrlenW (lpString="ccv_server.exe") returned 14 [0072.545] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0072.546] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0072.546] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0072.654] lstrlenW (lpString="creditservice.exe") returned 17 [0072.654] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0072.655] lstrlenW (lpString="edcsvr.exe") returned 10 [0072.655] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0072.656] lstrlenW (lpString="fpos.exe") returned 8 [0072.657] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0072.657] lstrlenW (lpString="isspos.exe") returned 10 [0072.658] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0072.658] lstrlenW (lpString="mxslipstream.exe") returned 16 [0072.658] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0072.659] lstrlenW (lpString="omnipos.exe") returned 11 [0072.659] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0072.660] lstrlenW (lpString="spcwin.exe") returned 10 [0072.660] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0072.661] lstrlenW (lpString="spgagentservice.exe") returned 19 [0072.661] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0072.662] lstrlenW (lpString="utg2.exe") returned 8 [0072.662] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0072.663] lstrlenW (lpString="forced-british.exe") returned 18 [0072.663] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0072.664] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0072.664] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0072.665] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0072.665] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0072.665] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0072.665] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0072.666] lstrlenW (lpString="kenya.exe") returned 9 [0072.666] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0072.667] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0072.667] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0072.667] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0072.667] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0072.668] lstrlenW (lpString="taskhost.exe") returned 12 [0072.668] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0072.669] lstrlenW (lpString="dmyurb.exe") returned 10 [0072.669] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0072.670] lstrlenW (lpString="cmd.exe") returned 7 [0072.670] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0072.670] lstrlenW (lpString="conhost.exe") returned 11 [0072.670] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0072.671] lstrlenW (lpString="vssadmin.exe") returned 12 [0072.671] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0072.673] CloseHandle (hObject=0x1ec) returned 1 [0072.673] Sleep (dwMilliseconds=0x1f4) [0073.283] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0073.283] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0073.284] GetLastError () returned 0xea [0073.284] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x123e) returned 0x293ff8 [0073.284] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0073.285] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0073.285] lstrlenW (lpString="Appinfo") returned 7 [0073.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0073.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0073.285] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0073.285] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0073.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0073.285] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0073.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0073.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0073.285] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0073.285] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0073.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0073.285] lstrlenW (lpString="AudioSrv") returned 8 [0073.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0073.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0073.286] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0073.286] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0073.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0073.286] lstrlenW (lpString="BFE") returned 3 [0073.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0073.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0073.286] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0073.286] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0073.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0073.286] lstrlenW (lpString="CryptSvc") returned 8 [0073.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0073.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0073.286] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0073.286] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0073.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0073.286] lstrlenW (lpString="CscService") returned 10 [0073.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0073.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0073.286] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0073.286] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0073.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0073.286] lstrlenW (lpString="DcomLaunch") returned 10 [0073.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0073.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0073.286] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0073.286] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0073.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0073.287] lstrlenW (lpString="Dhcp") returned 4 [0073.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0073.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0073.287] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0073.287] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0073.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0073.287] lstrlenW (lpString="Dnscache") returned 8 [0073.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0073.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0073.287] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0073.287] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0073.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0073.287] lstrlenW (lpString="DPS") returned 3 [0073.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0073.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0073.287] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0073.287] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0073.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0073.287] lstrlenW (lpString="eventlog") returned 8 [0073.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0073.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0073.287] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0073.287] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0073.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0073.287] lstrlenW (lpString="EventSystem") returned 11 [0073.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0073.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0073.287] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0073.287] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0073.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0073.288] lstrlenW (lpString="gpsvc") returned 5 [0073.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0073.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0073.288] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0073.288] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0073.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0073.288] lstrlenW (lpString="iphlpsvc") returned 8 [0073.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0073.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0073.288] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0073.288] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0073.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0073.288] lstrlenW (lpString="LanmanServer") returned 12 [0073.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0073.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0073.288] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0073.288] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0073.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0073.288] lstrlenW (lpString="LanmanWorkstation") returned 17 [0073.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0073.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0073.288] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0073.288] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0073.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0073.288] lstrlenW (lpString="lmhosts") returned 7 [0073.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0073.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0073.289] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0073.289] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0073.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0073.289] lstrlenW (lpString="MMCSS") returned 5 [0073.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0073.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0073.289] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0073.289] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0073.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0073.289] lstrlenW (lpString="MpsSvc") returned 6 [0073.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0073.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0073.289] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0073.289] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0073.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0073.289] lstrlenW (lpString="Netman") returned 6 [0073.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0073.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0073.289] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0073.289] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0073.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0073.289] lstrlenW (lpString="netprofm") returned 8 [0073.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0073.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0073.289] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0073.289] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0073.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0073.290] lstrlenW (lpString="NlaSvc") returned 6 [0073.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0073.290] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0073.290] lstrlenW (lpString="nsi") returned 3 [0073.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0073.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0073.290] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0073.290] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0073.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0073.290] lstrlenW (lpString="PcaSvc") returned 6 [0073.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0073.290] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0073.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0073.290] lstrlenW (lpString="PlugPlay") returned 8 [0073.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0073.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0073.290] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0073.290] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0073.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0073.290] lstrlenW (lpString="Power") returned 5 [0073.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0073.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0073.291] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0073.291] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0073.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0073.291] lstrlenW (lpString="ProfSvc") returned 7 [0073.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0073.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0073.291] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0073.291] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0073.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0073.291] lstrlenW (lpString="RpcEptMapper") returned 12 [0073.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0073.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0073.291] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0073.291] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0073.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0073.291] lstrlenW (lpString="RpcSs") returned 5 [0073.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0073.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0073.291] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0073.291] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0073.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0073.291] lstrlenW (lpString="SamSs") returned 5 [0073.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0073.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0073.291] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0073.291] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0073.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0073.291] lstrlenW (lpString="Schedule") returned 8 [0073.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0073.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0073.292] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0073.292] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0073.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0073.292] lstrlenW (lpString="SENS") returned 4 [0073.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0073.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0073.292] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0073.292] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0073.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0073.292] lstrlenW (lpString="ShellHWDetection") returned 16 [0073.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0073.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0073.292] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0073.292] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0073.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0073.292] lstrlenW (lpString="Spooler") returned 7 [0073.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0073.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0073.292] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0073.292] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0073.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0073.292] lstrlenW (lpString="SysMain") returned 7 [0073.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0073.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0073.292] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0073.292] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0073.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0073.293] lstrlenW (lpString="Themes") returned 6 [0073.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0073.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0073.293] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0073.293] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0073.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0073.293] lstrlenW (lpString="TrkWks") returned 6 [0073.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0073.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0073.293] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0073.293] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0073.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0073.293] lstrlenW (lpString="UxSms") returned 5 [0073.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0073.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0073.293] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0073.293] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0073.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0073.293] lstrlenW (lpString="VSS") returned 3 [0073.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0073.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0073.293] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0073.293] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0073.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0073.293] lstrlenW (lpString="WdiServiceHost") returned 14 [0073.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0073.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0073.294] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0073.294] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0073.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0073.294] lstrlenW (lpString="WdiSystemHost") returned 13 [0073.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0073.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0073.294] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0073.294] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0073.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0073.294] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0073.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0073.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0073.294] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0073.294] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0073.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0073.294] lstrlenW (lpString="Winmgmt") returned 7 [0073.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0073.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0073.294] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0073.294] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0073.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0073.294] lstrlenW (lpString="WPDBusEnum") returned 10 [0073.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0073.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0073.294] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0073.294] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0073.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0073.295] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0073.295] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0073.300] Process32FirstW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.300] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0073.301] lstrlenW (lpString="System") returned 6 [0073.301] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0073.301] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0073.301] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0073.302] lstrlenW (lpString="smss.exe") returned 8 [0073.302] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0073.302] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0073.302] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.303] lstrlenW (lpString="csrss.exe") returned 9 [0073.303] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0073.303] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0073.303] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0073.303] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0073.303] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0073.303] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0073.303] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0073.303] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0073.304] lstrlenW (lpString="wininit.exe") returned 11 [0073.304] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0073.304] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0073.304] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0073.305] lstrlenW (lpString="csrss.exe") returned 9 [0073.305] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0073.305] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0073.305] lstrlenW (lpString="winlogon.exe") returned 12 [0073.305] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0073.306] lstrlenW (lpString="services.exe") returned 12 [0073.306] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0073.307] lstrlenW (lpString="lsass.exe") returned 9 [0073.307] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0073.307] lstrlenW (lpString="lsm.exe") returned 7 [0073.307] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.308] lstrlenW (lpString="svchost.exe") returned 11 [0073.308] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.309] lstrlenW (lpString="svchost.exe") returned 11 [0073.309] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.310] lstrlenW (lpString="svchost.exe") returned 11 [0073.310] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.310] lstrlenW (lpString="svchost.exe") returned 11 [0073.310] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.311] lstrlenW (lpString="svchost.exe") returned 11 [0073.311] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0073.312] lstrlenW (lpString="audiodg.exe") returned 11 [0073.312] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.313] lstrlenW (lpString="svchost.exe") returned 11 [0073.313] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.313] lstrlenW (lpString="svchost.exe") returned 11 [0073.314] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0073.314] lstrlenW (lpString="dwm.exe") returned 7 [0073.314] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0073.315] lstrlenW (lpString="explorer.exe") returned 12 [0073.315] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0073.315] lstrlenW (lpString="spoolsv.exe") returned 11 [0073.316] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0073.316] lstrlenW (lpString="svchost.exe") returned 11 [0073.316] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0073.317] lstrlenW (lpString="taskhost.exe") returned 12 [0073.317] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0073.318] lstrlenW (lpString="taskeng.exe") returned 11 [0073.318] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0073.318] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0073.318] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0073.319] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0073.319] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0073.320] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0073.320] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0073.320] lstrlenW (lpString="celebration.exe") returned 15 [0073.320] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0073.321] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0073.321] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0073.322] lstrlenW (lpString="americansislamic.exe") returned 20 [0073.322] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0073.322] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0073.322] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0073.323] lstrlenW (lpString="sm-aud.exe") returned 10 [0073.323] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0073.324] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0073.324] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0073.324] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0073.324] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0073.325] lstrlenW (lpString="lap.exe") returned 7 [0073.325] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0073.326] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0073.326] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0073.326] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0073.326] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0073.327] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0073.327] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0073.328] lstrlenW (lpString="completion.exe") returned 14 [0073.328] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0073.811] lstrlenW (lpString="independently.exe") returned 17 [0073.811] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0073.812] lstrlenW (lpString="mel_kinase.exe") returned 14 [0073.812] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0073.813] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0073.813] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0073.813] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0073.814] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0073.814] lstrlenW (lpString="3dftp.exe") returned 9 [0073.814] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0073.815] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0073.815] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0073.816] lstrlenW (lpString="alftp.exe") returned 9 [0073.816] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0073.816] lstrlenW (lpString="barca.exe") returned 9 [0073.816] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0073.817] lstrlenW (lpString="bitkinex.exe") returned 12 [0073.817] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0073.818] lstrlenW (lpString="coreftp.exe") returned 11 [0073.818] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0073.818] lstrlenW (lpString="far.exe") returned 7 [0073.819] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0073.819] lstrlenW (lpString="filezilla.exe") returned 13 [0073.819] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0073.820] lstrlenW (lpString="flashfxp.exe") returned 12 [0073.820] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0073.821] lstrlenW (lpString="fling.exe") returned 9 [0073.821] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0073.821] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0073.821] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0073.822] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0073.822] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0073.823] lstrlenW (lpString="icq.exe") returned 7 [0073.823] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0073.824] lstrlenW (lpString="leechftp.exe") returned 12 [0073.824] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0073.824] lstrlenW (lpString="ncftp.exe") returned 9 [0073.824] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0073.825] lstrlenW (lpString="notepad.exe") returned 11 [0073.825] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0073.826] lstrlenW (lpString="operamail.exe") returned 13 [0073.826] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0073.827] lstrlenW (lpString="pidgin.exe") returned 10 [0073.827] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0073.829] lstrlenW (lpString="scriptftp.exe") returned 13 [0073.829] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0073.830] lstrlenW (lpString="skype.exe") returned 9 [0073.830] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0073.831] lstrlenW (lpString="smartftp.exe") returned 12 [0073.831] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0073.832] lstrlenW (lpString="thunderbird.exe") returned 15 [0073.832] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0073.833] lstrlenW (lpString="totalcmd.exe") returned 12 [0073.833] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0073.834] lstrlenW (lpString="trillian.exe") returned 12 [0073.834] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0073.835] lstrlenW (lpString="webdrive.exe") returned 12 [0073.835] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0073.836] lstrlenW (lpString="whatsapp.exe") returned 12 [0073.836] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0073.837] lstrlenW (lpString="winscp.exe") returned 10 [0073.837] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0073.838] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0073.838] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0073.839] lstrlenW (lpString="active-charge.exe") returned 17 [0073.839] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0073.840] lstrlenW (lpString="accupos.exe") returned 11 [0073.840] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0073.841] lstrlenW (lpString="afr38.exe") returned 9 [0073.841] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0074.317] lstrlenW (lpString="aldelo.exe") returned 10 [0074.317] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0074.367] lstrlenW (lpString="ccv_server.exe") returned 14 [0074.367] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0074.368] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0074.368] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0074.369] lstrlenW (lpString="creditservice.exe") returned 17 [0074.369] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0074.370] lstrlenW (lpString="edcsvr.exe") returned 10 [0074.370] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0074.371] lstrlenW (lpString="fpos.exe") returned 8 [0074.371] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0074.386] lstrlenW (lpString="isspos.exe") returned 10 [0074.386] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0074.386] lstrlenW (lpString="mxslipstream.exe") returned 16 [0074.386] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0074.387] lstrlenW (lpString="omnipos.exe") returned 11 [0074.387] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0074.388] lstrlenW (lpString="spcwin.exe") returned 10 [0074.388] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0074.389] lstrlenW (lpString="spgagentservice.exe") returned 19 [0074.389] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0074.390] lstrlenW (lpString="utg2.exe") returned 8 [0074.390] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0074.390] lstrlenW (lpString="forced-british.exe") returned 18 [0074.390] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0074.391] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0074.391] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0074.392] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0074.392] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0074.392] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0074.392] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0074.393] lstrlenW (lpString="kenya.exe") returned 9 [0074.393] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0074.393] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0074.394] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0074.394] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0074.394] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0074.395] lstrlenW (lpString="taskhost.exe") returned 12 [0074.395] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0074.395] lstrlenW (lpString="dmyurb.exe") returned 10 [0074.395] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0074.396] lstrlenW (lpString="cmd.exe") returned 7 [0074.396] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0074.397] lstrlenW (lpString="conhost.exe") returned 11 [0074.397] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0074.403] lstrlenW (lpString="vssadmin.exe") returned 12 [0074.403] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0074.404] lstrlenW (lpString="VSSVC.exe") returned 9 [0074.404] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0074.405] CloseHandle (hObject=0x1f0) returned 1 [0074.405] Sleep (dwMilliseconds=0x1f4) [0075.593] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0075.594] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0075.594] GetLastError () returned 0xea [0075.594] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x123e) returned 0x293ff8 [0075.594] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x123e, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0075.595] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0075.595] lstrlenW (lpString="Appinfo") returned 7 [0075.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0075.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0075.595] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0075.595] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0075.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0075.595] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0075.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0075.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0075.595] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0075.595] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0075.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0075.595] lstrlenW (lpString="AudioSrv") returned 8 [0075.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0075.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0075.595] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0075.595] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0075.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0075.595] lstrlenW (lpString="BFE") returned 3 [0075.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0075.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0075.595] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0075.595] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0075.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0075.596] lstrlenW (lpString="CryptSvc") returned 8 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0075.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0075.596] lstrlenW (lpString="CscService") returned 10 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0075.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0075.596] lstrlenW (lpString="DcomLaunch") returned 10 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0075.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0075.596] lstrlenW (lpString="Dhcp") returned 4 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0075.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0075.596] lstrlenW (lpString="Dnscache") returned 8 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0075.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0075.596] lstrlenW (lpString="DPS") returned 3 [0075.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0075.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0075.596] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0075.596] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0075.597] lstrlenW (lpString="eventlog") returned 8 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0075.597] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0075.597] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0075.597] lstrlenW (lpString="EventSystem") returned 11 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0075.597] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0075.597] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0075.597] lstrlenW (lpString="gpsvc") returned 5 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0075.597] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0075.597] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0075.597] lstrlenW (lpString="iphlpsvc") returned 8 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0075.597] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0075.597] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0075.597] lstrlenW (lpString="LanmanServer") returned 12 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0075.597] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0075.597] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0075.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0075.597] lstrlenW (lpString="LanmanWorkstation") returned 17 [0075.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0075.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0075.598] lstrlenW (lpString="lmhosts") returned 7 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0075.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0075.598] lstrlenW (lpString="MMCSS") returned 5 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0075.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0075.598] lstrlenW (lpString="MpsSvc") returned 6 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0075.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0075.598] lstrlenW (lpString="Netman") returned 6 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0075.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0075.598] lstrlenW (lpString="netprofm") returned 8 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0075.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0075.598] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0075.598] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0075.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0075.598] lstrlenW (lpString="NlaSvc") returned 6 [0075.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0075.599] lstrlenW (lpString="nsi") returned 3 [0075.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0075.599] lstrlenW (lpString="PcaSvc") returned 6 [0075.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0075.599] lstrlenW (lpString="PlugPlay") returned 8 [0075.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0075.599] lstrlenW (lpString="Power") returned 5 [0075.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0075.599] lstrlenW (lpString="ProfSvc") returned 7 [0075.599] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0075.599] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0075.599] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0075.599] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0075.599] lstrlenW (lpString="RpcEptMapper") returned 12 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0075.600] lstrlenW (lpString="RpcSs") returned 5 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0075.600] lstrlenW (lpString="SamSs") returned 5 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0075.600] lstrlenW (lpString="Schedule") returned 8 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0075.600] lstrlenW (lpString="SENS") returned 4 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0075.600] lstrlenW (lpString="ShellHWDetection") returned 16 [0075.600] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0075.600] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0075.600] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0075.600] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0075.600] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0075.600] lstrlenW (lpString="Spooler") returned 7 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0075.601] lstrlenW (lpString="SysMain") returned 7 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0075.601] lstrlenW (lpString="Themes") returned 6 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0075.601] lstrlenW (lpString="TrkWks") returned 6 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0075.601] lstrlenW (lpString="UxSms") returned 5 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0075.601] lstrlenW (lpString="VSS") returned 3 [0075.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0075.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0075.601] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0075.601] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0075.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0075.602] lstrlenW (lpString="WdiServiceHost") returned 14 [0075.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0075.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0075.602] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0075.602] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0075.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0075.602] lstrlenW (lpString="WdiSystemHost") returned 13 [0075.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0075.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0075.602] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0075.602] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0075.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0075.602] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0075.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0075.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0075.602] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0075.602] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0075.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0075.602] lstrlenW (lpString="Winmgmt") returned 7 [0075.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0075.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0075.602] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0075.602] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0075.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0075.602] lstrlenW (lpString="WPDBusEnum") returned 10 [0075.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0075.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0075.602] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0075.602] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0075.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0075.602] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0075.602] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0075.620] Process32FirstW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.621] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0075.621] lstrlenW (lpString="System") returned 6 [0075.621] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0075.621] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0075.621] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0075.621] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0075.621] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0075.621] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0075.622] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0075.622] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0075.622] lstrlenW (lpString="smss.exe") returned 8 [0075.622] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0075.622] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0075.622] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.623] lstrlenW (lpString="csrss.exe") returned 9 [0075.623] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0075.623] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0075.623] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0075.623] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0075.623] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0075.623] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0075.623] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0075.623] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0075.623] lstrlenW (lpString="wininit.exe") returned 11 [0075.623] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0075.624] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0075.624] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0075.624] lstrlenW (lpString="csrss.exe") returned 9 [0075.624] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0075.624] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0075.625] lstrlenW (lpString="winlogon.exe") returned 12 [0075.625] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0075.625] lstrlenW (lpString="services.exe") returned 12 [0075.625] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0075.626] lstrlenW (lpString="lsass.exe") returned 9 [0075.626] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0075.626] lstrlenW (lpString="lsm.exe") returned 7 [0075.626] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.627] lstrlenW (lpString="svchost.exe") returned 11 [0075.627] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.627] lstrlenW (lpString="svchost.exe") returned 11 [0075.627] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.628] lstrlenW (lpString="svchost.exe") returned 11 [0075.628] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.628] lstrlenW (lpString="svchost.exe") returned 11 [0075.629] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.629] lstrlenW (lpString="svchost.exe") returned 11 [0075.629] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0075.630] lstrlenW (lpString="audiodg.exe") returned 11 [0075.630] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.630] lstrlenW (lpString="svchost.exe") returned 11 [0075.630] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.631] lstrlenW (lpString="svchost.exe") returned 11 [0075.631] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0075.631] lstrlenW (lpString="dwm.exe") returned 7 [0075.631] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0075.632] lstrlenW (lpString="explorer.exe") returned 12 [0075.632] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0075.632] lstrlenW (lpString="spoolsv.exe") returned 11 [0075.632] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0075.633] lstrlenW (lpString="svchost.exe") returned 11 [0075.633] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0075.633] lstrlenW (lpString="taskhost.exe") returned 12 [0075.633] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0075.634] lstrlenW (lpString="taskeng.exe") returned 11 [0075.634] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0075.634] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0075.634] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0075.635] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0075.635] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0075.635] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0075.635] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0075.636] lstrlenW (lpString="celebration.exe") returned 15 [0075.636] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0075.636] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0075.636] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0075.637] lstrlenW (lpString="americansislamic.exe") returned 20 [0075.637] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0075.638] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0075.638] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0075.638] lstrlenW (lpString="sm-aud.exe") returned 10 [0075.638] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0075.639] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0075.639] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0075.639] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0075.639] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0075.640] lstrlenW (lpString="lap.exe") returned 7 [0075.640] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0075.640] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0075.640] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0075.641] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0075.641] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0075.641] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0075.641] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0075.642] lstrlenW (lpString="completion.exe") returned 14 [0075.642] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0075.642] lstrlenW (lpString="independently.exe") returned 17 [0075.642] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0075.643] lstrlenW (lpString="mel_kinase.exe") returned 14 [0075.643] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0075.643] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0075.643] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0075.644] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0075.644] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0075.644] lstrlenW (lpString="3dftp.exe") returned 9 [0075.644] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0075.645] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0075.645] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0075.645] lstrlenW (lpString="alftp.exe") returned 9 [0075.646] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0075.646] lstrlenW (lpString="barca.exe") returned 9 [0075.646] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0075.647] lstrlenW (lpString="bitkinex.exe") returned 12 [0075.647] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0075.647] lstrlenW (lpString="coreftp.exe") returned 11 [0075.647] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0075.648] lstrlenW (lpString="far.exe") returned 7 [0075.648] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0075.648] lstrlenW (lpString="filezilla.exe") returned 13 [0075.649] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0075.649] lstrlenW (lpString="flashfxp.exe") returned 12 [0075.649] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0075.650] lstrlenW (lpString="fling.exe") returned 9 [0075.650] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0075.650] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0075.650] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0075.651] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0075.651] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0075.896] lstrlenW (lpString="icq.exe") returned 7 [0075.896] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0075.897] lstrlenW (lpString="leechftp.exe") returned 12 [0075.897] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0075.898] lstrlenW (lpString="ncftp.exe") returned 9 [0075.898] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0075.899] lstrlenW (lpString="notepad.exe") returned 11 [0075.899] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0075.900] lstrlenW (lpString="operamail.exe") returned 13 [0075.900] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0075.901] lstrlenW (lpString="pidgin.exe") returned 10 [0075.901] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0075.902] lstrlenW (lpString="scriptftp.exe") returned 13 [0075.902] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0075.903] lstrlenW (lpString="skype.exe") returned 9 [0075.903] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0075.904] lstrlenW (lpString="smartftp.exe") returned 12 [0075.904] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0075.905] lstrlenW (lpString="thunderbird.exe") returned 15 [0075.906] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0075.906] lstrlenW (lpString="totalcmd.exe") returned 12 [0075.907] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0075.908] lstrlenW (lpString="trillian.exe") returned 12 [0075.908] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0075.909] lstrlenW (lpString="webdrive.exe") returned 12 [0075.909] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0075.909] lstrlenW (lpString="whatsapp.exe") returned 12 [0075.910] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0075.910] lstrlenW (lpString="winscp.exe") returned 10 [0075.911] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0075.911] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0075.912] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0075.912] lstrlenW (lpString="active-charge.exe") returned 17 [0075.912] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0075.913] lstrlenW (lpString="accupos.exe") returned 11 [0075.914] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0075.914] lstrlenW (lpString="afr38.exe") returned 9 [0075.914] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0075.915] lstrlenW (lpString="aldelo.exe") returned 10 [0075.915] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0075.916] lstrlenW (lpString="ccv_server.exe") returned 14 [0075.916] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0075.917] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0075.917] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0075.918] lstrlenW (lpString="creditservice.exe") returned 17 [0075.918] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0075.919] lstrlenW (lpString="edcsvr.exe") returned 10 [0075.919] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0075.919] lstrlenW (lpString="fpos.exe") returned 8 [0075.919] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0075.920] lstrlenW (lpString="isspos.exe") returned 10 [0075.920] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0075.921] lstrlenW (lpString="mxslipstream.exe") returned 16 [0075.921] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0075.922] lstrlenW (lpString="omnipos.exe") returned 11 [0075.922] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0075.923] lstrlenW (lpString="spcwin.exe") returned 10 [0075.923] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0075.924] lstrlenW (lpString="spgagentservice.exe") returned 19 [0075.924] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0075.924] lstrlenW (lpString="utg2.exe") returned 8 [0075.925] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0075.925] lstrlenW (lpString="forced-british.exe") returned 18 [0075.925] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0075.926] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0075.926] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0075.927] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0075.927] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0075.927] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0075.928] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0075.928] lstrlenW (lpString="kenya.exe") returned 9 [0075.928] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0075.929] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0075.929] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0075.930] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0075.930] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0075.931] lstrlenW (lpString="taskhost.exe") returned 12 [0075.931] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0075.931] lstrlenW (lpString="dmyurb.exe") returned 10 [0075.931] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0075.932] lstrlenW (lpString="cmd.exe") returned 7 [0075.932] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0075.933] lstrlenW (lpString="conhost.exe") returned 11 [0075.933] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0076.005] lstrlenW (lpString="vssadmin.exe") returned 12 [0076.005] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0076.007] lstrlenW (lpString="VSSVC.exe") returned 9 [0076.007] Process32NextW (in: hSnapshot=0x208, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0076.008] CloseHandle (hObject=0x208) returned 1 [0076.008] Sleep (dwMilliseconds=0x1f4) [0078.211] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0078.212] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0078.212] GetLastError () returned 0xea [0078.212] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12c6) returned 0x293ff8 [0078.212] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0078.213] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0078.213] lstrlenW (lpString="Appinfo") returned 7 [0078.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0078.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0078.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0078.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0078.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0078.213] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0078.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0078.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0078.213] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0078.213] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0078.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0078.213] lstrlenW (lpString="AudioSrv") returned 8 [0078.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0078.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0078.213] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0078.213] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0078.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0078.213] lstrlenW (lpString="BFE") returned 3 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0078.214] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0078.214] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0078.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0078.214] lstrlenW (lpString="CryptSvc") returned 8 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0078.214] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0078.214] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0078.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0078.214] lstrlenW (lpString="CscService") returned 10 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0078.214] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0078.214] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0078.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0078.214] lstrlenW (lpString="DcomLaunch") returned 10 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0078.214] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0078.214] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0078.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0078.214] lstrlenW (lpString="Dhcp") returned 4 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0078.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0078.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0078.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0078.214] lstrlenW (lpString="Dnscache") returned 8 [0078.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0078.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0078.215] lstrlenW (lpString="DPS") returned 3 [0078.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0078.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0078.215] lstrlenW (lpString="eventlog") returned 8 [0078.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0078.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0078.215] lstrlenW (lpString="EventSystem") returned 11 [0078.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0078.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0078.215] lstrlenW (lpString="gpsvc") returned 5 [0078.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0078.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0078.215] lstrlenW (lpString="iphlpsvc") returned 8 [0078.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0078.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0078.215] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0078.215] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0078.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0078.216] lstrlenW (lpString="LanmanServer") returned 12 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0078.216] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0078.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0078.216] lstrlenW (lpString="LanmanWorkstation") returned 17 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0078.216] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0078.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0078.216] lstrlenW (lpString="lmhosts") returned 7 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0078.216] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0078.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0078.216] lstrlenW (lpString="MMCSS") returned 5 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0078.216] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0078.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0078.216] lstrlenW (lpString="MpsSvc") returned 6 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0078.216] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0078.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0078.216] lstrlenW (lpString="Netman") returned 6 [0078.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0078.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0078.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0078.217] lstrlenW (lpString="netprofm") returned 8 [0078.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0078.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0078.217] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0078.217] lstrlenW (lpString="NlaSvc") returned 6 [0078.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0078.217] lstrlenW (lpString="nsi") returned 3 [0078.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0078.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0078.217] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0078.217] lstrlenW (lpString="PcaSvc") returned 6 [0078.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0078.217] lstrlenW (lpString="PlugPlay") returned 8 [0078.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0078.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0078.217] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0078.217] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0078.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0078.217] lstrlenW (lpString="Power") returned 5 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0078.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0078.218] lstrlenW (lpString="ProfSvc") returned 7 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0078.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0078.218] lstrlenW (lpString="RpcEptMapper") returned 12 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0078.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0078.218] lstrlenW (lpString="RpcSs") returned 5 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0078.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0078.218] lstrlenW (lpString="SamSs") returned 5 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0078.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0078.218] lstrlenW (lpString="Schedule") returned 8 [0078.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0078.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0078.218] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0078.218] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0078.219] lstrlenW (lpString="SENS") returned 4 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0078.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0078.219] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0078.219] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0078.219] lstrlenW (lpString="ShellHWDetection") returned 16 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0078.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0078.219] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0078.219] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0078.219] lstrlenW (lpString="Spooler") returned 7 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0078.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0078.219] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0078.219] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0078.219] lstrlenW (lpString="swprv") returned 5 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0078.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0078.219] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0078.219] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0078.219] lstrlenW (lpString="SysMain") returned 7 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0078.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0078.219] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0078.219] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0078.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0078.219] lstrlenW (lpString="Themes") returned 6 [0078.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0078.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0078.220] lstrlenW (lpString="TrkWks") returned 6 [0078.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0078.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0078.220] lstrlenW (lpString="UxSms") returned 5 [0078.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0078.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0078.220] lstrlenW (lpString="VSS") returned 3 [0078.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0078.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0078.220] lstrlenW (lpString="WdiServiceHost") returned 14 [0078.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0078.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0078.220] lstrlenW (lpString="WdiSystemHost") returned 13 [0078.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0078.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0078.220] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0078.220] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0078.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0078.221] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0078.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0078.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0078.221] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0078.221] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0078.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0078.221] lstrlenW (lpString="Winmgmt") returned 7 [0078.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0078.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0078.221] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0078.221] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0078.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0078.221] lstrlenW (lpString="WPDBusEnum") returned 10 [0078.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0078.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0078.221] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0078.221] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0078.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0078.221] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0078.221] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0078.225] Process32FirstW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0078.226] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0078.226] lstrlenW (lpString="System") returned 6 [0078.226] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0078.226] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0078.226] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0078.227] lstrlenW (lpString="smss.exe") returned 8 [0078.227] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0078.227] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0078.227] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0078.228] lstrlenW (lpString="csrss.exe") returned 9 [0078.228] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0078.228] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0078.228] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0078.228] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0078.228] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0078.228] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0078.228] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0078.228] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0078.229] lstrlenW (lpString="wininit.exe") returned 11 [0078.229] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0078.229] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0078.229] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0078.229] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0078.230] lstrlenW (lpString="csrss.exe") returned 9 [0078.230] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0078.230] lstrlenW (lpString="winlogon.exe") returned 12 [0078.230] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0078.231] lstrlenW (lpString="services.exe") returned 12 [0078.231] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0078.231] lstrlenW (lpString="lsass.exe") returned 9 [0078.231] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0078.232] lstrlenW (lpString="lsm.exe") returned 7 [0078.232] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.232] lstrlenW (lpString="svchost.exe") returned 11 [0078.232] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.233] lstrlenW (lpString="svchost.exe") returned 11 [0078.233] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.233] lstrlenW (lpString="svchost.exe") returned 11 [0078.233] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.234] lstrlenW (lpString="svchost.exe") returned 11 [0078.234] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.235] lstrlenW (lpString="svchost.exe") returned 11 [0078.235] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0078.235] lstrlenW (lpString="audiodg.exe") returned 11 [0078.235] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.236] lstrlenW (lpString="svchost.exe") returned 11 [0078.236] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.236] lstrlenW (lpString="svchost.exe") returned 11 [0078.236] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0078.237] lstrlenW (lpString="dwm.exe") returned 7 [0078.237] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0078.237] lstrlenW (lpString="explorer.exe") returned 12 [0078.237] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0078.238] lstrlenW (lpString="spoolsv.exe") returned 11 [0078.238] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.238] lstrlenW (lpString="svchost.exe") returned 11 [0078.238] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0078.239] lstrlenW (lpString="taskhost.exe") returned 12 [0078.239] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0078.239] lstrlenW (lpString="taskeng.exe") returned 11 [0078.239] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0078.240] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0078.240] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0078.240] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0078.240] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0078.241] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0078.241] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0078.241] lstrlenW (lpString="celebration.exe") returned 15 [0078.241] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0078.242] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0078.242] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0078.243] lstrlenW (lpString="americansislamic.exe") returned 20 [0078.243] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0078.243] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0078.243] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0078.511] lstrlenW (lpString="sm-aud.exe") returned 10 [0078.511] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0078.512] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0078.512] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0078.513] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0078.513] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0078.513] lstrlenW (lpString="lap.exe") returned 7 [0078.514] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0078.514] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0078.514] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0078.515] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0078.515] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0078.516] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0078.516] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0078.516] lstrlenW (lpString="completion.exe") returned 14 [0078.516] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0078.517] lstrlenW (lpString="independently.exe") returned 17 [0078.517] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0078.518] lstrlenW (lpString="mel_kinase.exe") returned 14 [0078.518] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0078.518] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0078.518] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0078.519] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0078.519] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0078.520] lstrlenW (lpString="3dftp.exe") returned 9 [0078.520] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0078.520] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0078.520] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0078.521] lstrlenW (lpString="alftp.exe") returned 9 [0078.521] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0078.522] lstrlenW (lpString="barca.exe") returned 9 [0078.522] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0078.523] lstrlenW (lpString="bitkinex.exe") returned 12 [0078.523] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0078.523] lstrlenW (lpString="coreftp.exe") returned 11 [0078.523] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0078.524] lstrlenW (lpString="far.exe") returned 7 [0078.524] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0078.525] lstrlenW (lpString="filezilla.exe") returned 13 [0078.525] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0078.525] lstrlenW (lpString="flashfxp.exe") returned 12 [0078.525] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0078.526] lstrlenW (lpString="fling.exe") returned 9 [0078.526] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0078.527] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0078.527] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0078.527] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0078.527] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0078.528] lstrlenW (lpString="icq.exe") returned 7 [0078.528] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0078.529] lstrlenW (lpString="leechftp.exe") returned 12 [0078.529] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0078.529] lstrlenW (lpString="ncftp.exe") returned 9 [0078.529] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0078.530] lstrlenW (lpString="notepad.exe") returned 11 [0078.530] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0078.531] lstrlenW (lpString="operamail.exe") returned 13 [0078.531] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0078.532] lstrlenW (lpString="pidgin.exe") returned 10 [0078.533] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0078.534] lstrlenW (lpString="scriptftp.exe") returned 13 [0078.534] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0078.535] lstrlenW (lpString="skype.exe") returned 9 [0078.535] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0078.536] lstrlenW (lpString="smartftp.exe") returned 12 [0078.536] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0078.537] lstrlenW (lpString="thunderbird.exe") returned 15 [0078.537] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0078.538] lstrlenW (lpString="totalcmd.exe") returned 12 [0078.538] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0078.539] lstrlenW (lpString="trillian.exe") returned 12 [0078.539] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0078.540] lstrlenW (lpString="webdrive.exe") returned 12 [0078.540] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0078.541] lstrlenW (lpString="whatsapp.exe") returned 12 [0078.541] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0078.542] lstrlenW (lpString="winscp.exe") returned 10 [0078.542] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0078.543] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0078.543] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0078.544] lstrlenW (lpString="active-charge.exe") returned 17 [0078.544] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0078.545] lstrlenW (lpString="accupos.exe") returned 11 [0078.545] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0078.848] lstrlenW (lpString="afr38.exe") returned 9 [0078.848] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0078.849] lstrlenW (lpString="aldelo.exe") returned 10 [0078.849] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0078.850] lstrlenW (lpString="ccv_server.exe") returned 14 [0078.850] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0078.851] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0078.851] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0078.852] lstrlenW (lpString="creditservice.exe") returned 17 [0078.852] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0078.853] lstrlenW (lpString="edcsvr.exe") returned 10 [0078.853] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0078.926] lstrlenW (lpString="fpos.exe") returned 8 [0078.926] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0078.940] lstrlenW (lpString="isspos.exe") returned 10 [0078.940] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0078.941] lstrlenW (lpString="mxslipstream.exe") returned 16 [0078.941] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0078.942] lstrlenW (lpString="omnipos.exe") returned 11 [0078.942] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0078.943] lstrlenW (lpString="spcwin.exe") returned 10 [0078.943] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0078.944] lstrlenW (lpString="spgagentservice.exe") returned 19 [0078.944] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0078.945] lstrlenW (lpString="utg2.exe") returned 8 [0078.945] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0078.945] lstrlenW (lpString="forced-british.exe") returned 18 [0078.945] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0078.946] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0078.946] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0078.947] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0078.947] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0078.948] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0078.948] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0078.949] lstrlenW (lpString="kenya.exe") returned 9 [0078.949] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0078.950] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0078.950] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0078.951] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0078.951] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0078.951] lstrlenW (lpString="taskhost.exe") returned 12 [0078.951] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0078.952] lstrlenW (lpString="dmyurb.exe") returned 10 [0078.952] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0078.953] lstrlenW (lpString="cmd.exe") returned 7 [0078.953] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0078.954] lstrlenW (lpString="conhost.exe") returned 11 [0078.954] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0078.954] lstrlenW (lpString="vssadmin.exe") returned 12 [0078.955] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0078.955] lstrlenW (lpString="VSSVC.exe") returned 9 [0078.955] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0078.956] lstrlenW (lpString="svchost.exe") returned 11 [0078.956] Process32NextW (in: hSnapshot=0x1f0, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0078.957] CloseHandle (hObject=0x1f0) returned 1 [0078.957] Sleep (dwMilliseconds=0x1f4) [0079.547] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0079.547] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0079.548] GetLastError () returned 0xea [0079.548] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12c6) returned 0x293ff8 [0079.548] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0079.557] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0079.557] lstrlenW (lpString="Appinfo") returned 7 [0079.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0079.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0079.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0079.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0079.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0079.557] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0079.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0079.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0079.557] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0079.557] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0079.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0079.557] lstrlenW (lpString="AudioSrv") returned 8 [0079.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0079.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0079.557] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0079.557] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0079.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0079.557] lstrlenW (lpString="BFE") returned 3 [0079.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0079.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0079.558] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0079.558] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0079.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0079.558] lstrlenW (lpString="CryptSvc") returned 8 [0079.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0079.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0079.558] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0079.558] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0079.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0079.558] lstrlenW (lpString="CscService") returned 10 [0079.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0079.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0079.558] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0079.558] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0079.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0079.558] lstrlenW (lpString="DcomLaunch") returned 10 [0079.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0079.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0079.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0079.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0079.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0079.558] lstrlenW (lpString="Dhcp") returned 4 [0079.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0079.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0079.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0079.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0079.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0079.559] lstrlenW (lpString="Dnscache") returned 8 [0079.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0079.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0079.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0079.559] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0079.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0079.559] lstrlenW (lpString="DPS") returned 3 [0079.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0079.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0079.559] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0079.559] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0079.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0079.559] lstrlenW (lpString="eventlog") returned 8 [0079.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0079.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0079.559] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0079.559] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0079.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0079.559] lstrlenW (lpString="EventSystem") returned 11 [0079.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0079.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0079.559] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0079.559] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0079.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0079.559] lstrlenW (lpString="gpsvc") returned 5 [0079.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0079.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0079.560] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0079.560] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0079.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0079.560] lstrlenW (lpString="iphlpsvc") returned 8 [0079.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0079.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0079.560] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0079.560] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0079.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0079.560] lstrlenW (lpString="LanmanServer") returned 12 [0079.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0079.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0079.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0079.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0079.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0079.560] lstrlenW (lpString="LanmanWorkstation") returned 17 [0079.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0079.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0079.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0079.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0079.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0079.560] lstrlenW (lpString="lmhosts") returned 7 [0079.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0079.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0079.560] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0079.561] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0079.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0079.561] lstrlenW (lpString="MMCSS") returned 5 [0079.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0079.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0079.561] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0079.561] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0079.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0079.561] lstrlenW (lpString="MpsSvc") returned 6 [0079.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0079.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0079.561] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0079.561] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0079.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0079.561] lstrlenW (lpString="Netman") returned 6 [0079.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0079.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0079.561] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0079.561] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0079.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0079.561] lstrlenW (lpString="netprofm") returned 8 [0079.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0079.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0079.561] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0079.561] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0079.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0079.561] lstrlenW (lpString="NlaSvc") returned 6 [0079.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0079.562] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0079.562] lstrlenW (lpString="nsi") returned 3 [0079.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0079.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0079.562] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0079.562] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0079.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0079.562] lstrlenW (lpString="PcaSvc") returned 6 [0079.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0079.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0079.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0079.562] lstrlenW (lpString="PlugPlay") returned 8 [0079.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0079.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0079.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0079.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0079.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0079.562] lstrlenW (lpString="Power") returned 5 [0079.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0079.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0079.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0079.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0079.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0079.563] lstrlenW (lpString="ProfSvc") returned 7 [0079.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0079.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0079.563] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0079.563] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0079.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0079.563] lstrlenW (lpString="RpcEptMapper") returned 12 [0079.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0079.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0079.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0079.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0079.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0079.563] lstrlenW (lpString="RpcSs") returned 5 [0079.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0079.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0079.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0079.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0079.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0079.563] lstrlenW (lpString="SamSs") returned 5 [0079.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0079.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0079.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0079.563] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0079.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0079.563] lstrlenW (lpString="Schedule") returned 8 [0079.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0079.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0079.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0079.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0079.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0079.564] lstrlenW (lpString="SENS") returned 4 [0079.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0079.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0079.564] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0079.564] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0079.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0079.564] lstrlenW (lpString="ShellHWDetection") returned 16 [0079.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0079.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0079.564] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0079.564] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0079.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0079.564] lstrlenW (lpString="Spooler") returned 7 [0079.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0079.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0079.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0079.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0079.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0079.564] lstrlenW (lpString="swprv") returned 5 [0079.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0079.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0079.564] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0079.564] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0079.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0079.565] lstrlenW (lpString="SysMain") returned 7 [0079.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0079.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0079.565] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0079.565] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0079.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0079.565] lstrlenW (lpString="Themes") returned 6 [0079.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0079.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0079.565] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0079.565] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0079.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0079.565] lstrlenW (lpString="TrkWks") returned 6 [0079.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0079.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0079.565] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0079.565] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0079.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0079.565] lstrlenW (lpString="UxSms") returned 5 [0079.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0079.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0079.565] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0079.565] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0079.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0079.565] lstrlenW (lpString="VSS") returned 3 [0079.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0079.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0079.566] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0079.566] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0079.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0079.566] lstrlenW (lpString="WdiServiceHost") returned 14 [0079.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0079.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0079.566] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0079.566] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0079.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0079.566] lstrlenW (lpString="WdiSystemHost") returned 13 [0079.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0079.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0079.566] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0079.566] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0079.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0079.566] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0079.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0079.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0079.566] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0079.566] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0079.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0079.566] lstrlenW (lpString="Winmgmt") returned 7 [0079.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0079.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0079.566] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0079.566] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0079.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0079.567] lstrlenW (lpString="WPDBusEnum") returned 10 [0079.567] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0079.567] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0079.567] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0079.567] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0079.567] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0079.567] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0079.567] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ec [0079.573] Process32FirstW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.574] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0079.575] lstrlenW (lpString="System") returned 6 [0079.575] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0079.575] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0079.575] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0079.575] lstrlenW (lpString="smss.exe") returned 8 [0079.575] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0079.576] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0079.576] lstrlenW (lpString="csrss.exe") returned 9 [0079.576] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0079.576] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0079.577] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0079.577] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0079.577] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0079.577] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0079.577] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0079.577] lstrlenW (lpString="wininit.exe") returned 11 [0079.577] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0079.577] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0079.577] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0079.578] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0079.578] lstrlenW (lpString="csrss.exe") returned 9 [0079.578] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0079.579] lstrlenW (lpString="winlogon.exe") returned 12 [0079.579] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0079.580] lstrlenW (lpString="services.exe") returned 12 [0079.580] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0079.580] lstrlenW (lpString="lsass.exe") returned 9 [0079.580] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0079.581] lstrlenW (lpString="lsm.exe") returned 7 [0079.581] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.582] lstrlenW (lpString="svchost.exe") returned 11 [0079.582] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.583] lstrlenW (lpString="svchost.exe") returned 11 [0079.583] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.583] lstrlenW (lpString="svchost.exe") returned 11 [0079.583] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.584] lstrlenW (lpString="svchost.exe") returned 11 [0079.584] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.585] lstrlenW (lpString="svchost.exe") returned 11 [0079.585] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0079.585] lstrlenW (lpString="audiodg.exe") returned 11 [0079.586] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.586] lstrlenW (lpString="svchost.exe") returned 11 [0079.586] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.587] lstrlenW (lpString="svchost.exe") returned 11 [0079.587] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0079.588] lstrlenW (lpString="dwm.exe") returned 7 [0079.588] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0079.588] lstrlenW (lpString="explorer.exe") returned 12 [0079.588] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0079.589] lstrlenW (lpString="spoolsv.exe") returned 11 [0079.589] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0079.590] lstrlenW (lpString="svchost.exe") returned 11 [0079.590] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0079.590] lstrlenW (lpString="taskhost.exe") returned 12 [0079.590] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0079.591] lstrlenW (lpString="taskeng.exe") returned 11 [0079.591] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0080.125] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0080.125] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0080.126] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0080.126] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0080.127] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0080.127] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0080.127] lstrlenW (lpString="celebration.exe") returned 15 [0080.127] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0080.131] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0080.131] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0080.132] lstrlenW (lpString="americansislamic.exe") returned 20 [0080.132] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0080.132] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0080.132] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0080.133] lstrlenW (lpString="sm-aud.exe") returned 10 [0080.133] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0080.134] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0080.134] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0080.135] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0080.135] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0080.135] lstrlenW (lpString="lap.exe") returned 7 [0080.135] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0080.136] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0080.136] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0080.137] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0080.137] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0080.137] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0080.137] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0080.138] lstrlenW (lpString="completion.exe") returned 14 [0080.138] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0080.139] lstrlenW (lpString="independently.exe") returned 17 [0080.139] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0080.139] lstrlenW (lpString="mel_kinase.exe") returned 14 [0080.140] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0080.140] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0080.140] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0080.141] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0080.141] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0080.142] lstrlenW (lpString="3dftp.exe") returned 9 [0080.142] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0080.142] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0080.142] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0080.143] lstrlenW (lpString="alftp.exe") returned 9 [0080.143] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0080.144] lstrlenW (lpString="barca.exe") returned 9 [0080.144] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0080.144] lstrlenW (lpString="bitkinex.exe") returned 12 [0080.144] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0080.145] lstrlenW (lpString="coreftp.exe") returned 11 [0080.145] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0080.146] lstrlenW (lpString="far.exe") returned 7 [0080.146] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0080.146] lstrlenW (lpString="filezilla.exe") returned 13 [0080.147] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0080.147] lstrlenW (lpString="flashfxp.exe") returned 12 [0080.147] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0080.148] lstrlenW (lpString="fling.exe") returned 9 [0080.148] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0080.148] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0080.149] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0080.149] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0080.149] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0080.150] lstrlenW (lpString="icq.exe") returned 7 [0080.150] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0080.150] lstrlenW (lpString="leechftp.exe") returned 12 [0080.151] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0080.151] lstrlenW (lpString="ncftp.exe") returned 9 [0080.151] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0080.152] lstrlenW (lpString="notepad.exe") returned 11 [0080.152] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0080.153] lstrlenW (lpString="operamail.exe") returned 13 [0080.153] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0080.154] lstrlenW (lpString="pidgin.exe") returned 10 [0080.154] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0080.155] lstrlenW (lpString="scriptftp.exe") returned 13 [0080.155] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0080.156] lstrlenW (lpString="skype.exe") returned 9 [0080.157] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0080.157] lstrlenW (lpString="smartftp.exe") returned 12 [0080.158] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0080.159] lstrlenW (lpString="thunderbird.exe") returned 15 [0080.159] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0080.160] lstrlenW (lpString="totalcmd.exe") returned 12 [0080.472] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0080.473] lstrlenW (lpString="trillian.exe") returned 12 [0080.473] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0080.474] lstrlenW (lpString="webdrive.exe") returned 12 [0080.474] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0080.475] lstrlenW (lpString="whatsapp.exe") returned 12 [0080.475] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0080.476] lstrlenW (lpString="winscp.exe") returned 10 [0080.476] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0080.477] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0080.477] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0080.478] lstrlenW (lpString="active-charge.exe") returned 17 [0080.478] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0080.479] lstrlenW (lpString="accupos.exe") returned 11 [0080.479] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0080.480] lstrlenW (lpString="afr38.exe") returned 9 [0080.480] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0080.481] lstrlenW (lpString="aldelo.exe") returned 10 [0080.481] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0080.482] lstrlenW (lpString="ccv_server.exe") returned 14 [0080.482] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0080.483] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0080.483] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0080.484] lstrlenW (lpString="creditservice.exe") returned 17 [0080.484] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0080.485] lstrlenW (lpString="edcsvr.exe") returned 10 [0080.485] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0080.486] lstrlenW (lpString="fpos.exe") returned 8 [0080.486] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0080.487] lstrlenW (lpString="isspos.exe") returned 10 [0080.487] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0080.489] lstrlenW (lpString="mxslipstream.exe") returned 16 [0080.489] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0080.490] lstrlenW (lpString="omnipos.exe") returned 11 [0080.490] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0080.491] lstrlenW (lpString="spcwin.exe") returned 10 [0080.491] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0080.492] lstrlenW (lpString="spgagentservice.exe") returned 19 [0080.492] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0080.492] lstrlenW (lpString="utg2.exe") returned 8 [0080.492] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0080.493] lstrlenW (lpString="forced-british.exe") returned 18 [0080.493] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0080.494] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0080.494] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0080.495] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0080.495] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0080.496] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0080.496] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0080.497] lstrlenW (lpString="kenya.exe") returned 9 [0080.497] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0080.498] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0080.498] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0080.498] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0080.499] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0080.499] lstrlenW (lpString="taskhost.exe") returned 12 [0080.499] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0080.500] lstrlenW (lpString="dmyurb.exe") returned 10 [0080.500] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0080.501] lstrlenW (lpString="cmd.exe") returned 7 [0080.501] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0080.502] lstrlenW (lpString="conhost.exe") returned 11 [0080.502] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0080.502] lstrlenW (lpString="vssadmin.exe") returned 12 [0080.502] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0080.503] lstrlenW (lpString="VSSVC.exe") returned 9 [0080.503] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.504] lstrlenW (lpString="svchost.exe") returned 11 [0080.504] Process32NextW (in: hSnapshot=0x1ec, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0080.505] CloseHandle (hObject=0x1ec) returned 1 [0080.505] Sleep (dwMilliseconds=0x1f4) [0081.207] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0081.207] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0081.208] GetLastError () returned 0xea [0081.208] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12c6) returned 0x293ff8 [0081.208] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12c6, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0081.208] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0081.208] lstrlenW (lpString="Appinfo") returned 7 [0081.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0081.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0081.209] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0081.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0081.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0081.209] lstrlenW (lpString="AudioSrv") returned 8 [0081.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0081.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0081.209] lstrlenW (lpString="BFE") returned 3 [0081.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0081.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0081.209] lstrlenW (lpString="CryptSvc") returned 8 [0081.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0081.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0081.209] lstrlenW (lpString="CscService") returned 10 [0081.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0081.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0081.209] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0081.209] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0081.210] lstrlenW (lpString="DcomLaunch") returned 10 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0081.210] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0081.210] lstrlenW (lpString="Dhcp") returned 4 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0081.210] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0081.210] lstrlenW (lpString="Dnscache") returned 8 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0081.210] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0081.210] lstrlenW (lpString="DPS") returned 3 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0081.210] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0081.210] lstrlenW (lpString="eventlog") returned 8 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0081.210] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0081.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0081.210] lstrlenW (lpString="EventSystem") returned 11 [0081.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0081.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0081.210] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0081.211] lstrlenW (lpString="gpsvc") returned 5 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0081.211] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0081.211] lstrlenW (lpString="iphlpsvc") returned 8 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0081.211] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0081.211] lstrlenW (lpString="LanmanServer") returned 12 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0081.211] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0081.211] lstrlenW (lpString="LanmanWorkstation") returned 17 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0081.211] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0081.211] lstrlenW (lpString="lmhosts") returned 7 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0081.211] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0081.211] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0081.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0081.211] lstrlenW (lpString="MMCSS") returned 5 [0081.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0081.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0081.212] lstrlenW (lpString="MpsSvc") returned 6 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0081.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0081.212] lstrlenW (lpString="Netman") returned 6 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0081.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0081.212] lstrlenW (lpString="netprofm") returned 8 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0081.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0081.212] lstrlenW (lpString="NlaSvc") returned 6 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0081.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0081.212] lstrlenW (lpString="nsi") returned 3 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0081.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0081.212] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0081.212] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0081.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0081.212] lstrlenW (lpString="PcaSvc") returned 6 [0081.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0081.213] lstrlenW (lpString="PlugPlay") returned 8 [0081.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0081.213] lstrlenW (lpString="Power") returned 5 [0081.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0081.213] lstrlenW (lpString="ProfSvc") returned 7 [0081.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0081.213] lstrlenW (lpString="RpcEptMapper") returned 12 [0081.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0081.213] lstrlenW (lpString="RpcSs") returned 5 [0081.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0081.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0081.213] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0081.213] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0081.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0081.213] lstrlenW (lpString="SamSs") returned 5 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0081.214] lstrlenW (lpString="Schedule") returned 8 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0081.214] lstrlenW (lpString="SENS") returned 4 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0081.214] lstrlenW (lpString="ShellHWDetection") returned 16 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0081.214] lstrlenW (lpString="Spooler") returned 7 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0081.214] lstrlenW (lpString="swprv") returned 5 [0081.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0081.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0081.214] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0081.214] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0081.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0081.215] lstrlenW (lpString="SysMain") returned 7 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0081.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0081.215] lstrlenW (lpString="Themes") returned 6 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0081.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0081.215] lstrlenW (lpString="TrkWks") returned 6 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0081.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0081.215] lstrlenW (lpString="UxSms") returned 5 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0081.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0081.215] lstrlenW (lpString="VSS") returned 3 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0081.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0081.215] lstrlenW (lpString="WdiServiceHost") returned 14 [0081.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0081.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0081.215] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0081.215] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0081.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0081.216] lstrlenW (lpString="WdiSystemHost") returned 13 [0081.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0081.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0081.216] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0081.216] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0081.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0081.216] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0081.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0081.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0081.216] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0081.216] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0081.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0081.216] lstrlenW (lpString="Winmgmt") returned 7 [0081.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0081.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0081.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0081.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0081.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0081.216] lstrlenW (lpString="WPDBusEnum") returned 10 [0081.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0081.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0081.216] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0081.216] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0081.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0081.216] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0081.216] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0081.220] Process32FirstW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.221] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0081.221] lstrlenW (lpString="System") returned 6 [0081.221] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0081.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0081.221] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0081.222] lstrlenW (lpString="smss.exe") returned 8 [0081.222] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0081.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0081.222] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0081.223] lstrlenW (lpString="csrss.exe") returned 9 [0081.223] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0081.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0081.223] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0081.223] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0081.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0081.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0081.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0081.223] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0081.223] lstrlenW (lpString="wininit.exe") returned 11 [0081.223] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0081.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0081.224] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0081.224] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0081.224] lstrlenW (lpString="csrss.exe") returned 9 [0081.224] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0081.225] lstrlenW (lpString="winlogon.exe") returned 12 [0081.225] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0081.339] lstrlenW (lpString="services.exe") returned 12 [0081.340] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0081.340] lstrlenW (lpString="lsass.exe") returned 9 [0081.340] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0081.341] lstrlenW (lpString="lsm.exe") returned 7 [0081.341] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.342] lstrlenW (lpString="svchost.exe") returned 11 [0081.342] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.342] lstrlenW (lpString="svchost.exe") returned 11 [0081.342] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.343] lstrlenW (lpString="svchost.exe") returned 11 [0081.343] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.344] lstrlenW (lpString="svchost.exe") returned 11 [0081.344] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.345] lstrlenW (lpString="svchost.exe") returned 11 [0081.345] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0081.346] lstrlenW (lpString="audiodg.exe") returned 11 [0081.346] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.346] lstrlenW (lpString="svchost.exe") returned 11 [0081.346] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.347] lstrlenW (lpString="svchost.exe") returned 11 [0081.347] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0081.348] lstrlenW (lpString="dwm.exe") returned 7 [0081.348] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0081.348] lstrlenW (lpString="explorer.exe") returned 12 [0081.348] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0081.349] lstrlenW (lpString="spoolsv.exe") returned 11 [0081.349] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.350] lstrlenW (lpString="svchost.exe") returned 11 [0081.350] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0081.351] lstrlenW (lpString="taskhost.exe") returned 12 [0081.351] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0081.351] lstrlenW (lpString="taskeng.exe") returned 11 [0081.351] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0081.352] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0081.352] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0081.353] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0081.353] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0081.353] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0081.353] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0081.605] lstrlenW (lpString="celebration.exe") returned 15 [0081.605] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0081.606] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0081.606] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0081.606] lstrlenW (lpString="americansislamic.exe") returned 20 [0081.606] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0081.607] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0081.607] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0081.608] lstrlenW (lpString="sm-aud.exe") returned 10 [0081.608] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0081.608] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0081.608] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0081.609] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0081.609] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0081.610] lstrlenW (lpString="lap.exe") returned 7 [0081.610] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0081.610] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0081.611] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0081.611] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0081.611] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0081.612] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0081.612] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0081.613] lstrlenW (lpString="completion.exe") returned 14 [0081.613] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0081.613] lstrlenW (lpString="independently.exe") returned 17 [0081.613] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0081.614] lstrlenW (lpString="mel_kinase.exe") returned 14 [0081.614] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0081.615] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0081.615] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0081.615] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0081.615] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0081.616] lstrlenW (lpString="3dftp.exe") returned 9 [0081.616] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0081.617] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0081.617] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0081.618] lstrlenW (lpString="alftp.exe") returned 9 [0081.618] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0081.618] lstrlenW (lpString="barca.exe") returned 9 [0081.618] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0081.619] lstrlenW (lpString="bitkinex.exe") returned 12 [0081.619] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0081.619] lstrlenW (lpString="coreftp.exe") returned 11 [0081.620] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0081.620] lstrlenW (lpString="far.exe") returned 7 [0081.620] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0081.621] lstrlenW (lpString="filezilla.exe") returned 13 [0081.621] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0081.622] lstrlenW (lpString="flashfxp.exe") returned 12 [0081.622] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0081.622] lstrlenW (lpString="fling.exe") returned 9 [0081.622] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0081.623] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0081.623] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0081.624] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0081.624] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0081.624] lstrlenW (lpString="icq.exe") returned 7 [0081.624] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0081.625] lstrlenW (lpString="leechftp.exe") returned 12 [0081.625] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0081.626] lstrlenW (lpString="ncftp.exe") returned 9 [0081.626] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0081.627] lstrlenW (lpString="notepad.exe") returned 11 [0081.627] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0081.628] lstrlenW (lpString="operamail.exe") returned 13 [0081.628] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0081.629] lstrlenW (lpString="pidgin.exe") returned 10 [0081.629] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0081.630] lstrlenW (lpString="scriptftp.exe") returned 13 [0081.630] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0081.631] lstrlenW (lpString="skype.exe") returned 9 [0081.631] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0081.632] lstrlenW (lpString="smartftp.exe") returned 12 [0081.632] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0081.633] lstrlenW (lpString="thunderbird.exe") returned 15 [0081.633] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0081.634] lstrlenW (lpString="totalcmd.exe") returned 12 [0081.634] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0081.635] lstrlenW (lpString="trillian.exe") returned 12 [0081.635] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0081.636] lstrlenW (lpString="webdrive.exe") returned 12 [0081.636] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0081.637] lstrlenW (lpString="whatsapp.exe") returned 12 [0081.637] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0081.638] lstrlenW (lpString="winscp.exe") returned 10 [0081.638] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0081.639] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0081.639] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0081.790] lstrlenW (lpString="active-charge.exe") returned 17 [0081.790] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0081.791] lstrlenW (lpString="accupos.exe") returned 11 [0081.791] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0081.796] lstrlenW (lpString="afr38.exe") returned 9 [0081.796] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0081.797] lstrlenW (lpString="aldelo.exe") returned 10 [0081.797] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0081.798] lstrlenW (lpString="ccv_server.exe") returned 14 [0081.798] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0081.799] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0081.799] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0081.799] lstrlenW (lpString="creditservice.exe") returned 17 [0081.799] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0081.800] lstrlenW (lpString="edcsvr.exe") returned 10 [0081.800] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0081.801] lstrlenW (lpString="fpos.exe") returned 8 [0081.801] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0081.802] lstrlenW (lpString="isspos.exe") returned 10 [0081.802] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0081.802] lstrlenW (lpString="mxslipstream.exe") returned 16 [0081.802] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0081.803] lstrlenW (lpString="omnipos.exe") returned 11 [0081.803] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0081.803] lstrlenW (lpString="spcwin.exe") returned 10 [0081.804] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0081.804] lstrlenW (lpString="spgagentservice.exe") returned 19 [0081.804] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0081.805] lstrlenW (lpString="utg2.exe") returned 8 [0081.805] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0081.805] lstrlenW (lpString="forced-british.exe") returned 18 [0081.806] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0081.806] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0081.806] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0081.807] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0081.807] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0081.808] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0081.808] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0081.809] lstrlenW (lpString="kenya.exe") returned 9 [0081.809] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0081.809] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0081.809] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0081.810] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0081.810] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0081.811] lstrlenW (lpString="taskhost.exe") returned 12 [0081.811] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0081.811] lstrlenW (lpString="dmyurb.exe") returned 10 [0081.811] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0081.812] lstrlenW (lpString="cmd.exe") returned 7 [0081.812] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0081.812] lstrlenW (lpString="conhost.exe") returned 11 [0081.812] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0081.813] lstrlenW (lpString="vssadmin.exe") returned 12 [0081.813] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0081.817] lstrlenW (lpString="VSSVC.exe") returned 9 [0081.817] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0081.818] lstrlenW (lpString="svchost.exe") returned 11 [0081.818] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0081.818] CloseHandle (hObject=0x204) returned 1 [0081.819] Sleep (dwMilliseconds=0x1f4) [0082.542] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0082.543] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0082.543] GetLastError () returned 0xea [0082.543] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x133c) returned 0x293ff8 [0082.543] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x133c, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0082.544] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0082.544] lstrlenW (lpString="Appinfo") returned 7 [0082.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0082.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0082.544] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0082.544] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0082.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0082.544] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0082.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0082.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0082.544] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0082.544] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0082.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0082.545] lstrlenW (lpString="AudioSrv") returned 8 [0082.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0082.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0082.545] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0082.545] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0082.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0082.545] lstrlenW (lpString="BFE") returned 3 [0082.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0082.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0082.545] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0082.545] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0082.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0082.545] lstrlenW (lpString="CryptSvc") returned 8 [0082.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0082.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0082.545] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0082.545] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0082.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0082.545] lstrlenW (lpString="CscService") returned 10 [0082.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0082.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0082.545] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0082.545] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0082.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0082.545] lstrlenW (lpString="DcomLaunch") returned 10 [0082.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0082.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0082.545] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0082.545] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0082.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0082.546] lstrlenW (lpString="Dhcp") returned 4 [0082.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0082.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0082.546] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0082.546] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0082.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0082.546] lstrlenW (lpString="Dnscache") returned 8 [0082.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0082.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0082.546] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0082.546] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0082.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0082.546] lstrlenW (lpString="DPS") returned 3 [0082.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0082.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0082.546] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0082.546] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0082.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0082.546] lstrlenW (lpString="eventlog") returned 8 [0082.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0082.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0082.546] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0082.546] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0082.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0082.547] lstrlenW (lpString="EventSystem") returned 11 [0082.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0082.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0082.547] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0082.547] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0082.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0082.547] lstrlenW (lpString="FontCache") returned 9 [0082.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0082.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0082.547] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0082.547] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0082.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0082.547] lstrlenW (lpString="gpsvc") returned 5 [0082.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0082.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0082.547] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0082.547] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0082.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0082.547] lstrlenW (lpString="iphlpsvc") returned 8 [0082.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0082.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0082.547] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0082.547] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0082.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0082.547] lstrlenW (lpString="LanmanServer") returned 12 [0082.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0082.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0082.548] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0082.548] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0082.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0082.548] lstrlenW (lpString="LanmanWorkstation") returned 17 [0082.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0082.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0082.548] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0082.548] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0082.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0082.548] lstrlenW (lpString="lmhosts") returned 7 [0082.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0082.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0082.548] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0082.548] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0082.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0082.548] lstrlenW (lpString="MMCSS") returned 5 [0082.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0082.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0082.548] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0082.548] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0082.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0082.548] lstrlenW (lpString="MpsSvc") returned 6 [0082.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0082.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0082.548] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0082.548] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0082.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0082.549] lstrlenW (lpString="Netman") returned 6 [0082.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0082.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0082.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0082.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0082.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0082.549] lstrlenW (lpString="netprofm") returned 8 [0082.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0082.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0082.549] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0082.549] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0082.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0082.549] lstrlenW (lpString="NlaSvc") returned 6 [0082.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0082.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0082.549] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0082.549] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0082.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0082.549] lstrlenW (lpString="nsi") returned 3 [0082.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0082.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0082.549] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0082.549] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0082.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0082.549] lstrlenW (lpString="PcaSvc") returned 6 [0082.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0082.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0082.550] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0082.550] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0082.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0082.550] lstrlenW (lpString="PlugPlay") returned 8 [0082.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0082.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0082.550] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0082.550] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0082.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0082.550] lstrlenW (lpString="Power") returned 5 [0082.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0082.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0082.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0082.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0082.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0082.550] lstrlenW (lpString="ProfSvc") returned 7 [0082.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0082.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0082.550] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0082.550] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0082.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0082.550] lstrlenW (lpString="RpcEptMapper") returned 12 [0082.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0082.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0082.550] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0082.550] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0082.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0082.550] lstrlenW (lpString="RpcSs") returned 5 [0082.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0082.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0082.551] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0082.551] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0082.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0082.551] lstrlenW (lpString="SamSs") returned 5 [0082.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0082.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0082.551] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0082.551] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0082.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0082.551] lstrlenW (lpString="Schedule") returned 8 [0082.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0082.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0082.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0082.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0082.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0082.551] lstrlenW (lpString="SENS") returned 4 [0082.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0082.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0082.551] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0082.551] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0082.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0082.551] lstrlenW (lpString="ShellHWDetection") returned 16 [0082.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0082.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0082.551] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0082.551] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0082.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0082.552] lstrlenW (lpString="Spooler") returned 7 [0082.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0082.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0082.552] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0082.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0082.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0082.552] lstrlenW (lpString="swprv") returned 5 [0082.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0082.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0082.552] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0082.552] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0082.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0082.552] lstrlenW (lpString="SysMain") returned 7 [0082.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0082.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0082.552] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0082.552] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0082.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0082.552] lstrlenW (lpString="Themes") returned 6 [0082.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0082.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0082.552] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0082.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0082.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0082.552] lstrlenW (lpString="TrkWks") returned 6 [0082.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0082.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0082.552] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0082.553] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0082.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0082.553] lstrlenW (lpString="UxSms") returned 5 [0082.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0082.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0082.553] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0082.553] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0082.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0082.553] lstrlenW (lpString="VSS") returned 3 [0082.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0082.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0082.553] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0082.553] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0082.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0082.553] lstrlenW (lpString="WdiServiceHost") returned 14 [0082.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0082.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0082.553] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0082.553] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0082.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0082.553] lstrlenW (lpString="WdiSystemHost") returned 13 [0082.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0082.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0082.553] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0082.553] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0082.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0082.553] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0082.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0082.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0082.554] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0082.554] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0082.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0082.554] lstrlenW (lpString="Winmgmt") returned 7 [0082.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0082.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0082.554] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0082.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0082.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0082.554] lstrlenW (lpString="WPDBusEnum") returned 10 [0082.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0082.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0082.554] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0082.554] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0082.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0082.554] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0082.554] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0082.559] Process32FirstW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.560] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0082.561] lstrlenW (lpString="System") returned 6 [0082.561] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0082.561] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0082.561] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0082.561] lstrlenW (lpString="smss.exe") returned 8 [0082.561] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0082.562] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0082.562] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.562] lstrlenW (lpString="csrss.exe") returned 9 [0082.562] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0082.563] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0082.563] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0082.563] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0082.563] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0082.563] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0082.563] lstrlenW (lpString="wininit.exe") returned 11 [0082.564] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.571] lstrlenW (lpString="csrss.exe") returned 9 [0082.571] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0082.572] lstrlenW (lpString="winlogon.exe") returned 12 [0082.572] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0082.572] lstrlenW (lpString="services.exe") returned 12 [0082.572] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0082.573] lstrlenW (lpString="lsass.exe") returned 9 [0082.573] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0082.574] lstrlenW (lpString="lsm.exe") returned 7 [0082.574] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.574] lstrlenW (lpString="svchost.exe") returned 11 [0082.574] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.575] lstrlenW (lpString="svchost.exe") returned 11 [0082.575] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.576] lstrlenW (lpString="svchost.exe") returned 11 [0082.576] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.576] lstrlenW (lpString="svchost.exe") returned 11 [0082.576] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.577] lstrlenW (lpString="svchost.exe") returned 11 [0082.577] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0082.578] lstrlenW (lpString="audiodg.exe") returned 11 [0082.578] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.579] lstrlenW (lpString="svchost.exe") returned 11 [0082.579] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.579] lstrlenW (lpString="svchost.exe") returned 11 [0082.579] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0082.580] lstrlenW (lpString="dwm.exe") returned 7 [0082.580] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0082.581] lstrlenW (lpString="explorer.exe") returned 12 [0082.581] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0082.581] lstrlenW (lpString="spoolsv.exe") returned 11 [0082.581] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.582] lstrlenW (lpString="svchost.exe") returned 11 [0082.582] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0082.610] lstrlenW (lpString="taskhost.exe") returned 12 [0082.610] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0082.611] lstrlenW (lpString="taskeng.exe") returned 11 [0082.611] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0082.611] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0082.611] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0082.612] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0082.612] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0082.613] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0082.613] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0082.613] lstrlenW (lpString="celebration.exe") returned 15 [0082.614] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0082.614] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0082.614] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0082.661] lstrlenW (lpString="americansislamic.exe") returned 20 [0082.661] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0082.703] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0082.703] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0082.704] lstrlenW (lpString="sm-aud.exe") returned 10 [0082.704] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0082.705] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0082.705] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0082.705] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0082.705] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0082.706] lstrlenW (lpString="lap.exe") returned 7 [0082.706] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0082.707] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0082.707] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0082.707] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0082.707] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0082.708] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0082.708] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0082.709] lstrlenW (lpString="completion.exe") returned 14 [0082.709] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0082.709] lstrlenW (lpString="independently.exe") returned 17 [0082.709] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0082.710] lstrlenW (lpString="mel_kinase.exe") returned 14 [0082.710] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0082.711] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0082.711] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0082.711] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0082.711] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0082.712] lstrlenW (lpString="3dftp.exe") returned 9 [0082.712] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0082.713] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0082.713] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0082.713] lstrlenW (lpString="alftp.exe") returned 9 [0082.713] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0082.718] lstrlenW (lpString="barca.exe") returned 9 [0082.718] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0082.718] lstrlenW (lpString="bitkinex.exe") returned 12 [0082.718] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0082.719] lstrlenW (lpString="coreftp.exe") returned 11 [0082.720] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0082.720] lstrlenW (lpString="far.exe") returned 7 [0082.720] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0082.722] lstrlenW (lpString="filezilla.exe") returned 13 [0082.722] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0082.723] lstrlenW (lpString="flashfxp.exe") returned 12 [0082.723] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0082.724] lstrlenW (lpString="fling.exe") returned 9 [0082.724] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0082.724] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0082.724] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0082.726] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0082.726] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0082.734] lstrlenW (lpString="icq.exe") returned 7 [0082.734] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0082.734] lstrlenW (lpString="leechftp.exe") returned 12 [0082.734] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0082.735] lstrlenW (lpString="ncftp.exe") returned 9 [0082.735] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0082.736] lstrlenW (lpString="notepad.exe") returned 11 [0082.736] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0082.780] lstrlenW (lpString="operamail.exe") returned 13 [0082.780] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0082.781] lstrlenW (lpString="pidgin.exe") returned 10 [0082.781] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0082.782] lstrlenW (lpString="scriptftp.exe") returned 13 [0082.782] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0082.783] lstrlenW (lpString="skype.exe") returned 9 [0082.783] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0082.784] lstrlenW (lpString="smartftp.exe") returned 12 [0082.784] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0082.785] lstrlenW (lpString="thunderbird.exe") returned 15 [0082.785] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0082.785] lstrlenW (lpString="totalcmd.exe") returned 12 [0082.785] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0083.071] lstrlenW (lpString="trillian.exe") returned 12 [0083.072] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0083.073] lstrlenW (lpString="webdrive.exe") returned 12 [0083.073] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0083.074] lstrlenW (lpString="whatsapp.exe") returned 12 [0083.074] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0083.075] lstrlenW (lpString="winscp.exe") returned 10 [0083.075] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0083.076] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0083.076] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0083.077] lstrlenW (lpString="active-charge.exe") returned 17 [0083.077] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0083.078] lstrlenW (lpString="accupos.exe") returned 11 [0083.078] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0083.079] lstrlenW (lpString="afr38.exe") returned 9 [0083.079] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0083.080] lstrlenW (lpString="aldelo.exe") returned 10 [0083.080] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0083.081] lstrlenW (lpString="ccv_server.exe") returned 14 [0083.081] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0083.082] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0083.082] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0083.083] lstrlenW (lpString="creditservice.exe") returned 17 [0083.083] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0083.084] lstrlenW (lpString="edcsvr.exe") returned 10 [0083.084] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0083.085] lstrlenW (lpString="fpos.exe") returned 8 [0083.085] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0083.086] lstrlenW (lpString="isspos.exe") returned 10 [0083.086] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0083.087] lstrlenW (lpString="mxslipstream.exe") returned 16 [0083.087] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0083.088] lstrlenW (lpString="omnipos.exe") returned 11 [0083.088] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0083.089] lstrlenW (lpString="spcwin.exe") returned 10 [0083.089] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0083.089] lstrlenW (lpString="spgagentservice.exe") returned 19 [0083.090] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0083.090] lstrlenW (lpString="utg2.exe") returned 8 [0083.090] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0083.091] lstrlenW (lpString="forced-british.exe") returned 18 [0083.091] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0083.092] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0083.092] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0083.093] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0083.093] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0083.094] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0083.094] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0083.095] lstrlenW (lpString="kenya.exe") returned 9 [0083.095] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.096] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0083.096] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.097] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0083.097] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.098] lstrlenW (lpString="taskhost.exe") returned 12 [0083.098] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0083.099] lstrlenW (lpString="dmyurb.exe") returned 10 [0083.099] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0083.099] lstrlenW (lpString="cmd.exe") returned 7 [0083.099] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0083.100] lstrlenW (lpString="conhost.exe") returned 11 [0083.100] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0083.101] lstrlenW (lpString="vssadmin.exe") returned 12 [0083.101] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0083.102] lstrlenW (lpString="VSSVC.exe") returned 9 [0083.102] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.102] lstrlenW (lpString="svchost.exe") returned 11 [0083.102] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.103] lstrlenW (lpString="svchost.exe") returned 11 [0083.103] Process32NextW (in: hSnapshot=0x204, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0083.868] CloseHandle (hObject=0x204) returned 1 [0083.868] Sleep (dwMilliseconds=0x1f4) [0085.240] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df948 [0085.241] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0085.241] GetLastError () returned 0xea [0085.241] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x293ff8 [0085.241] EnumServicesStatusExW (in: hSCManager=0x2df948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0085.242] CloseServiceHandle (hSCObject=0x2df948) returned 1 [0085.242] lstrlenW (lpString="Appinfo") returned 7 [0085.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0085.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0085.242] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0085.242] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0085.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0085.242] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0085.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0085.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0085.242] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0085.242] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0085.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0085.242] lstrlenW (lpString="AudioSrv") returned 8 [0085.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0085.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0085.243] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0085.243] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0085.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0085.243] lstrlenW (lpString="BFE") returned 3 [0085.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0085.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0085.243] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0085.243] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0085.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0085.243] lstrlenW (lpString="CryptSvc") returned 8 [0085.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0085.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0085.243] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0085.243] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0085.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0085.243] lstrlenW (lpString="CscService") returned 10 [0085.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0085.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0085.243] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0085.243] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0085.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0085.243] lstrlenW (lpString="DcomLaunch") returned 10 [0085.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0085.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0085.243] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0085.243] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0085.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0085.244] lstrlenW (lpString="Dhcp") returned 4 [0085.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0085.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0085.244] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0085.244] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0085.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0085.244] lstrlenW (lpString="Dnscache") returned 8 [0085.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0085.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0085.244] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0085.244] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0085.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0085.244] lstrlenW (lpString="DPS") returned 3 [0085.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0085.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0085.244] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0085.244] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0085.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0085.244] lstrlenW (lpString="eventlog") returned 8 [0085.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0085.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0085.244] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0085.244] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0085.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0085.244] lstrlenW (lpString="EventSystem") returned 11 [0085.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0085.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0085.245] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0085.245] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0085.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0085.245] lstrlenW (lpString="FontCache") returned 9 [0085.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0085.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0085.245] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0085.245] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0085.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0085.245] lstrlenW (lpString="gpsvc") returned 5 [0085.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0085.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0085.245] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0085.245] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0085.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0085.245] lstrlenW (lpString="iphlpsvc") returned 8 [0085.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0085.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0085.245] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0085.255] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0085.255] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0085.255] lstrlenW (lpString="LanmanServer") returned 12 [0085.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0085.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0085.256] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0085.256] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0085.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0085.256] lstrlenW (lpString="LanmanWorkstation") returned 17 [0085.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0085.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0085.256] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0085.256] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0085.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0085.256] lstrlenW (lpString="lmhosts") returned 7 [0085.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0085.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0085.256] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0085.256] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0085.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0085.256] lstrlenW (lpString="MMCSS") returned 5 [0085.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0085.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0085.256] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0085.256] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0085.256] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0085.256] lstrlenW (lpString="MpsSvc") returned 6 [0085.256] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0085.256] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0085.257] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0085.257] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0085.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0085.257] lstrlenW (lpString="Netman") returned 6 [0085.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0085.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0085.257] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0085.257] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0085.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0085.257] lstrlenW (lpString="netprofm") returned 8 [0085.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0085.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0085.257] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0085.257] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0085.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0085.257] lstrlenW (lpString="NlaSvc") returned 6 [0085.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0085.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0085.257] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0085.257] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0085.257] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0085.257] lstrlenW (lpString="nsi") returned 3 [0085.257] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0085.257] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0085.257] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0085.257] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0085.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0085.258] lstrlenW (lpString="PcaSvc") returned 6 [0085.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0085.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0085.258] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0085.258] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0085.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0085.258] lstrlenW (lpString="PlugPlay") returned 8 [0085.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0085.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0085.258] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0085.258] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0085.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0085.258] lstrlenW (lpString="Power") returned 5 [0085.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0085.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0085.258] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0085.258] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0085.258] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0085.258] lstrlenW (lpString="ProfSvc") returned 7 [0085.258] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0085.258] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0085.258] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0085.258] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0085.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0085.259] lstrlenW (lpString="RpcEptMapper") returned 12 [0085.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0085.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0085.259] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0085.259] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0085.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0085.259] lstrlenW (lpString="RpcSs") returned 5 [0085.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0085.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0085.259] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0085.259] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0085.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0085.259] lstrlenW (lpString="SamSs") returned 5 [0085.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0085.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0085.259] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0085.259] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0085.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0085.259] lstrlenW (lpString="Schedule") returned 8 [0085.259] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0085.259] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0085.259] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0085.259] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0085.259] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0085.259] lstrlenW (lpString="SENS") returned 4 [0085.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0085.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0085.260] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0085.260] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0085.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0085.260] lstrlenW (lpString="ShellHWDetection") returned 16 [0085.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0085.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0085.260] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0085.260] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0085.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0085.260] lstrlenW (lpString="Spooler") returned 7 [0085.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0085.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0085.260] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0085.260] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0085.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0085.260] lstrlenW (lpString="swprv") returned 5 [0085.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0085.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0085.260] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0085.260] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0085.260] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0085.260] lstrlenW (lpString="SysMain") returned 7 [0085.260] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0085.260] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0085.261] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0085.261] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0085.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0085.261] lstrlenW (lpString="Themes") returned 6 [0085.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0085.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0085.261] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0085.261] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0085.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0085.261] lstrlenW (lpString="TrkWks") returned 6 [0085.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0085.261] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0085.261] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0085.261] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0085.261] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0085.261] lstrlenW (lpString="UxSms") returned 5 [0085.261] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0085.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0085.262] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0085.262] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0085.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0085.262] lstrlenW (lpString="VSS") returned 3 [0085.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0085.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0085.262] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0085.262] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0085.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0085.262] lstrlenW (lpString="WdiServiceHost") returned 14 [0085.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0085.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0085.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0085.262] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0085.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0085.262] lstrlenW (lpString="WdiSystemHost") returned 13 [0085.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0085.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0085.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0085.262] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0085.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0085.262] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0085.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0085.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0085.262] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0085.263] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0085.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0085.263] lstrlenW (lpString="Winmgmt") returned 7 [0085.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0085.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0085.263] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0085.263] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0085.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0085.263] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0085.263] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e8 [0085.269] Process32FirstW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.269] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0085.270] lstrlenW (lpString="System") returned 6 [0085.270] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0085.270] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0085.270] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0085.271] lstrlenW (lpString="smss.exe") returned 8 [0085.271] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0085.271] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0085.271] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.272] lstrlenW (lpString="csrss.exe") returned 9 [0085.272] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0085.272] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0085.272] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0085.272] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0085.272] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0085.272] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0085.272] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0085.272] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0085.273] lstrlenW (lpString="wininit.exe") returned 11 [0085.273] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0085.273] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0085.273] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0085.273] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.274] lstrlenW (lpString="csrss.exe") returned 9 [0085.274] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0085.275] lstrlenW (lpString="winlogon.exe") returned 12 [0085.275] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0085.275] lstrlenW (lpString="services.exe") returned 12 [0085.275] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0085.276] lstrlenW (lpString="lsass.exe") returned 9 [0085.276] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0085.277] lstrlenW (lpString="lsm.exe") returned 7 [0085.277] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.277] lstrlenW (lpString="svchost.exe") returned 11 [0085.277] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.278] lstrlenW (lpString="svchost.exe") returned 11 [0085.278] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.279] lstrlenW (lpString="svchost.exe") returned 11 [0085.279] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.279] lstrlenW (lpString="svchost.exe") returned 11 [0085.279] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.280] lstrlenW (lpString="svchost.exe") returned 11 [0085.280] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0085.281] lstrlenW (lpString="audiodg.exe") returned 11 [0085.281] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.282] lstrlenW (lpString="svchost.exe") returned 11 [0085.282] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.283] lstrlenW (lpString="svchost.exe") returned 11 [0085.283] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0085.284] lstrlenW (lpString="dwm.exe") returned 7 [0085.284] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0085.284] lstrlenW (lpString="explorer.exe") returned 12 [0085.284] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0085.285] lstrlenW (lpString="spoolsv.exe") returned 11 [0085.285] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.285] lstrlenW (lpString="svchost.exe") returned 11 [0085.285] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.286] lstrlenW (lpString="taskhost.exe") returned 12 [0085.286] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0085.287] lstrlenW (lpString="taskeng.exe") returned 11 [0085.287] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0085.287] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0085.287] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0085.288] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0085.288] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0085.412] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0085.414] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0085.420] lstrlenW (lpString="celebration.exe") returned 15 [0085.420] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0085.433] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0085.433] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0085.433] lstrlenW (lpString="americansislamic.exe") returned 20 [0085.433] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0085.434] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0085.434] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0085.435] lstrlenW (lpString="sm-aud.exe") returned 10 [0085.435] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0085.436] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0085.436] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0085.436] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0085.436] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0085.437] lstrlenW (lpString="lap.exe") returned 7 [0085.437] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0085.438] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0085.438] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0085.438] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0085.438] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0085.439] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0085.439] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0085.440] lstrlenW (lpString="completion.exe") returned 14 [0085.440] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0085.440] lstrlenW (lpString="independently.exe") returned 17 [0085.440] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0085.441] lstrlenW (lpString="mel_kinase.exe") returned 14 [0085.441] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0085.442] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0085.442] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0085.442] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0085.442] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0085.443] lstrlenW (lpString="3dftp.exe") returned 9 [0085.443] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0085.444] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0085.444] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0085.444] lstrlenW (lpString="alftp.exe") returned 9 [0085.444] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0085.445] lstrlenW (lpString="barca.exe") returned 9 [0085.445] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0085.446] lstrlenW (lpString="bitkinex.exe") returned 12 [0085.446] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0085.446] lstrlenW (lpString="coreftp.exe") returned 11 [0085.446] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0085.447] lstrlenW (lpString="far.exe") returned 7 [0085.447] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0085.448] lstrlenW (lpString="filezilla.exe") returned 13 [0085.448] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0085.449] lstrlenW (lpString="flashfxp.exe") returned 12 [0085.449] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0085.449] lstrlenW (lpString="fling.exe") returned 9 [0085.449] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0085.450] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0085.450] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0085.451] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0085.451] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0085.451] lstrlenW (lpString="icq.exe") returned 7 [0085.451] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0085.452] lstrlenW (lpString="leechftp.exe") returned 12 [0085.452] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0085.453] lstrlenW (lpString="ncftp.exe") returned 9 [0085.453] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0085.454] lstrlenW (lpString="notepad.exe") returned 11 [0085.454] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0085.455] lstrlenW (lpString="operamail.exe") returned 13 [0085.455] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0085.456] lstrlenW (lpString="pidgin.exe") returned 10 [0085.456] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0085.457] lstrlenW (lpString="scriptftp.exe") returned 13 [0085.457] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0085.458] lstrlenW (lpString="skype.exe") returned 9 [0085.458] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0085.459] lstrlenW (lpString="smartftp.exe") returned 12 [0085.459] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0085.460] lstrlenW (lpString="thunderbird.exe") returned 15 [0085.460] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0085.461] lstrlenW (lpString="totalcmd.exe") returned 12 [0085.461] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0085.462] lstrlenW (lpString="trillian.exe") returned 12 [0085.462] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0085.463] lstrlenW (lpString="webdrive.exe") returned 12 [0085.463] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0085.708] lstrlenW (lpString="whatsapp.exe") returned 12 [0085.708] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0085.709] lstrlenW (lpString="winscp.exe") returned 10 [0085.709] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0085.710] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0085.710] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0085.711] lstrlenW (lpString="active-charge.exe") returned 17 [0085.711] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0085.712] lstrlenW (lpString="accupos.exe") returned 11 [0085.712] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0085.713] lstrlenW (lpString="afr38.exe") returned 9 [0085.713] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0085.714] lstrlenW (lpString="aldelo.exe") returned 10 [0085.714] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0085.715] lstrlenW (lpString="ccv_server.exe") returned 14 [0085.715] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0085.716] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0085.716] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0085.717] lstrlenW (lpString="creditservice.exe") returned 17 [0085.717] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0085.718] lstrlenW (lpString="edcsvr.exe") returned 10 [0085.718] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0085.719] lstrlenW (lpString="fpos.exe") returned 8 [0085.719] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0085.720] lstrlenW (lpString="isspos.exe") returned 10 [0085.720] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0085.721] lstrlenW (lpString="mxslipstream.exe") returned 16 [0085.721] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0085.722] lstrlenW (lpString="omnipos.exe") returned 11 [0085.722] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0085.723] lstrlenW (lpString="spcwin.exe") returned 10 [0085.723] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0085.723] lstrlenW (lpString="spgagentservice.exe") returned 19 [0085.724] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0085.724] lstrlenW (lpString="utg2.exe") returned 8 [0085.724] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0085.725] lstrlenW (lpString="forced-british.exe") returned 18 [0085.725] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0085.726] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0085.726] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0085.727] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0085.727] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0085.728] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0085.728] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0085.729] lstrlenW (lpString="kenya.exe") returned 9 [0085.729] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.730] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0085.730] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.731] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0085.731] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.731] lstrlenW (lpString="taskhost.exe") returned 12 [0085.731] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0085.732] lstrlenW (lpString="dmyurb.exe") returned 10 [0085.732] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0085.733] lstrlenW (lpString="cmd.exe") returned 7 [0085.733] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0085.734] lstrlenW (lpString="conhost.exe") returned 11 [0085.734] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0085.735] lstrlenW (lpString="vssadmin.exe") returned 12 [0085.735] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0085.735] lstrlenW (lpString="VSSVC.exe") returned 9 [0085.735] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.736] lstrlenW (lpString="svchost.exe") returned 11 [0085.736] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.737] lstrlenW (lpString="svchost.exe") returned 11 [0085.737] Process32NextW (in: hSnapshot=0x1e8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0085.738] CloseHandle (hObject=0x1e8) returned 1 [0085.738] Sleep (dwMilliseconds=0x1f4) [0086.437] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df8f8 [0086.437] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0086.437] GetLastError () returned 0xea [0086.438] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x40a97c0 [0086.438] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x40a97c0, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x40a97c0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0086.438] CloseServiceHandle (hSCObject=0x2df8f8) returned 1 [0086.439] lstrlenW (lpString="Appinfo") returned 7 [0086.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0086.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0086.439] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0086.439] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0086.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0086.439] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0086.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0086.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0086.439] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0086.439] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0086.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0086.439] lstrlenW (lpString="AudioSrv") returned 8 [0086.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0086.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0086.439] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0086.439] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0086.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0086.439] lstrlenW (lpString="BFE") returned 3 [0086.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0086.439] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0086.439] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0086.439] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0086.439] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0086.439] lstrlenW (lpString="CryptSvc") returned 8 [0086.439] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0086.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0086.440] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0086.440] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0086.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0086.440] lstrlenW (lpString="CscService") returned 10 [0086.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0086.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0086.440] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0086.440] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0086.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0086.440] lstrlenW (lpString="DcomLaunch") returned 10 [0086.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0086.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0086.440] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0086.440] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0086.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0086.440] lstrlenW (lpString="Dhcp") returned 4 [0086.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0086.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0086.440] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0086.440] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0086.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0086.440] lstrlenW (lpString="Dnscache") returned 8 [0086.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0086.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0086.440] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0086.440] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0086.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0086.441] lstrlenW (lpString="DPS") returned 3 [0086.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0086.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0086.441] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0086.441] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0086.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0086.441] lstrlenW (lpString="eventlog") returned 8 [0086.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0086.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0086.441] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0086.441] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0086.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0086.441] lstrlenW (lpString="EventSystem") returned 11 [0086.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0086.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0086.441] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0086.441] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0086.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0086.441] lstrlenW (lpString="FontCache") returned 9 [0086.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0086.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0086.441] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0086.441] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0086.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0086.441] lstrlenW (lpString="gpsvc") returned 5 [0086.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0086.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0086.442] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0086.442] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0086.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0086.442] lstrlenW (lpString="iphlpsvc") returned 8 [0086.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0086.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0086.442] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0086.442] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0086.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0086.442] lstrlenW (lpString="LanmanServer") returned 12 [0086.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0086.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0086.442] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0086.442] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0086.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0086.442] lstrlenW (lpString="LanmanWorkstation") returned 17 [0086.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0086.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0086.442] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0086.442] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0086.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0086.442] lstrlenW (lpString="lmhosts") returned 7 [0086.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0086.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0086.442] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0086.442] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0086.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0086.443] lstrlenW (lpString="MMCSS") returned 5 [0086.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0086.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0086.443] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0086.443] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0086.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0086.443] lstrlenW (lpString="MpsSvc") returned 6 [0086.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0086.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0086.443] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0086.443] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0086.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0086.443] lstrlenW (lpString="Netman") returned 6 [0086.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0086.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0086.443] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0086.443] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0086.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0086.443] lstrlenW (lpString="netprofm") returned 8 [0086.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0086.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0086.443] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0086.443] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0086.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0086.443] lstrlenW (lpString="NlaSvc") returned 6 [0086.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0086.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0086.444] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0086.444] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0086.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0086.444] lstrlenW (lpString="nsi") returned 3 [0086.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0086.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0086.444] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0086.444] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0086.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0086.444] lstrlenW (lpString="PcaSvc") returned 6 [0086.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0086.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0086.444] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0086.444] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0086.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0086.444] lstrlenW (lpString="PlugPlay") returned 8 [0086.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0086.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0086.444] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0086.444] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0086.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0086.444] lstrlenW (lpString="Power") returned 5 [0086.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0086.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0086.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0086.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0086.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0086.445] lstrlenW (lpString="ProfSvc") returned 7 [0086.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0086.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0086.445] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0086.445] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0086.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0086.445] lstrlenW (lpString="RpcEptMapper") returned 12 [0086.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0086.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0086.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0086.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0086.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0086.445] lstrlenW (lpString="RpcSs") returned 5 [0086.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0086.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0086.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0086.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0086.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0086.445] lstrlenW (lpString="SamSs") returned 5 [0086.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0086.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0086.445] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0086.445] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0086.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0086.445] lstrlenW (lpString="Schedule") returned 8 [0086.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0086.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0086.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0086.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0086.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0086.446] lstrlenW (lpString="SENS") returned 4 [0086.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0086.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0086.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0086.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0086.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0086.446] lstrlenW (lpString="ShellHWDetection") returned 16 [0086.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0086.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0086.446] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0086.446] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0086.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0086.446] lstrlenW (lpString="Spooler") returned 7 [0086.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0086.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0086.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0086.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0086.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0086.446] lstrlenW (lpString="swprv") returned 5 [0086.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0086.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0086.446] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0086.446] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0086.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0086.447] lstrlenW (lpString="SysMain") returned 7 [0086.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0086.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0086.447] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0086.447] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0086.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0086.447] lstrlenW (lpString="Themes") returned 6 [0086.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0086.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0086.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0086.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0086.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0086.447] lstrlenW (lpString="TrkWks") returned 6 [0086.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0086.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0086.447] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0086.447] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0086.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0086.447] lstrlenW (lpString="UxSms") returned 5 [0086.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0086.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0086.447] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0086.447] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0086.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0086.447] lstrlenW (lpString="VSS") returned 3 [0086.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0086.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0086.447] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0086.448] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0086.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0086.448] lstrlenW (lpString="WdiServiceHost") returned 14 [0086.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0086.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0086.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0086.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0086.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0086.448] lstrlenW (lpString="WdiSystemHost") returned 13 [0086.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0086.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0086.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0086.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0086.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0086.448] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0086.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0086.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0086.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0086.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0086.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0086.448] lstrlenW (lpString="Winmgmt") returned 7 [0086.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0086.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0086.449] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0086.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0086.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0086.449] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0086.449] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x214 [0086.455] Process32FirstW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.455] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.456] lstrlenW (lpString="System") returned 6 [0086.456] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0086.456] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0086.456] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.457] lstrlenW (lpString="smss.exe") returned 8 [0086.457] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0086.457] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0086.457] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.458] lstrlenW (lpString="csrss.exe") returned 9 [0086.458] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0086.458] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0086.458] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0086.458] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0086.458] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0086.458] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0086.458] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0086.458] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.459] lstrlenW (lpString="wininit.exe") returned 11 [0086.459] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0086.459] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0086.459] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0086.459] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.460] lstrlenW (lpString="csrss.exe") returned 9 [0086.460] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.461] lstrlenW (lpString="winlogon.exe") returned 12 [0086.461] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.462] lstrlenW (lpString="services.exe") returned 12 [0086.462] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.462] lstrlenW (lpString="lsass.exe") returned 9 [0086.462] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.463] lstrlenW (lpString="lsm.exe") returned 7 [0086.463] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.464] lstrlenW (lpString="svchost.exe") returned 11 [0086.464] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.465] lstrlenW (lpString="svchost.exe") returned 11 [0086.465] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.465] lstrlenW (lpString="svchost.exe") returned 11 [0086.465] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.466] lstrlenW (lpString="svchost.exe") returned 11 [0086.466] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.467] lstrlenW (lpString="svchost.exe") returned 11 [0086.467] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.467] lstrlenW (lpString="audiodg.exe") returned 11 [0086.467] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.468] lstrlenW (lpString="svchost.exe") returned 11 [0086.468] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.469] lstrlenW (lpString="svchost.exe") returned 11 [0086.469] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.469] lstrlenW (lpString="dwm.exe") returned 7 [0086.470] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.847] lstrlenW (lpString="explorer.exe") returned 12 [0086.848] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.868] lstrlenW (lpString="spoolsv.exe") returned 11 [0086.868] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.869] lstrlenW (lpString="svchost.exe") returned 11 [0086.869] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.870] lstrlenW (lpString="taskhost.exe") returned 12 [0086.870] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0086.871] lstrlenW (lpString="taskeng.exe") returned 11 [0086.871] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0086.871] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0086.871] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0086.872] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0086.872] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0086.873] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0086.873] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0086.873] lstrlenW (lpString="celebration.exe") returned 15 [0086.873] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0086.874] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0086.874] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0086.875] lstrlenW (lpString="americansislamic.exe") returned 20 [0086.875] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0086.875] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0086.875] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0086.876] lstrlenW (lpString="sm-aud.exe") returned 10 [0086.876] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0086.877] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0086.877] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0086.877] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0086.877] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0086.878] lstrlenW (lpString="lap.exe") returned 7 [0086.878] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0086.878] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0086.878] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0086.879] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0086.879] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0086.879] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0086.880] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0086.880] lstrlenW (lpString="completion.exe") returned 14 [0086.880] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0086.881] lstrlenW (lpString="independently.exe") returned 17 [0086.881] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0086.882] lstrlenW (lpString="mel_kinase.exe") returned 14 [0086.882] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0086.882] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0086.882] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0086.883] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0086.883] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0086.884] lstrlenW (lpString="3dftp.exe") returned 9 [0086.884] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0086.885] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0086.885] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0086.885] lstrlenW (lpString="alftp.exe") returned 9 [0086.885] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0086.886] lstrlenW (lpString="barca.exe") returned 9 [0086.886] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0086.887] lstrlenW (lpString="bitkinex.exe") returned 12 [0086.887] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0086.887] lstrlenW (lpString="coreftp.exe") returned 11 [0086.887] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0086.888] lstrlenW (lpString="far.exe") returned 7 [0086.888] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0086.889] lstrlenW (lpString="filezilla.exe") returned 13 [0086.889] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0086.889] lstrlenW (lpString="flashfxp.exe") returned 12 [0086.890] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0086.890] lstrlenW (lpString="fling.exe") returned 9 [0086.890] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0086.891] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0086.891] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0086.891] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0086.892] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0086.892] lstrlenW (lpString="icq.exe") returned 7 [0086.892] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0086.893] lstrlenW (lpString="leechftp.exe") returned 12 [0086.893] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0086.894] lstrlenW (lpString="ncftp.exe") returned 9 [0086.894] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0086.895] lstrlenW (lpString="notepad.exe") returned 11 [0086.895] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0086.896] lstrlenW (lpString="operamail.exe") returned 13 [0086.896] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0086.897] lstrlenW (lpString="pidgin.exe") returned 10 [0086.897] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0086.898] lstrlenW (lpString="scriptftp.exe") returned 13 [0086.898] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0087.174] lstrlenW (lpString="skype.exe") returned 9 [0087.174] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0087.175] lstrlenW (lpString="smartftp.exe") returned 12 [0087.175] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0087.176] lstrlenW (lpString="thunderbird.exe") returned 15 [0087.176] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0087.177] lstrlenW (lpString="totalcmd.exe") returned 12 [0087.177] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0087.178] lstrlenW (lpString="trillian.exe") returned 12 [0087.178] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0087.179] lstrlenW (lpString="webdrive.exe") returned 12 [0087.179] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0087.180] lstrlenW (lpString="whatsapp.exe") returned 12 [0087.181] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0087.181] lstrlenW (lpString="winscp.exe") returned 10 [0087.181] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0087.182] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0087.182] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0087.183] lstrlenW (lpString="active-charge.exe") returned 17 [0087.183] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0087.184] lstrlenW (lpString="accupos.exe") returned 11 [0087.184] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0087.185] lstrlenW (lpString="afr38.exe") returned 9 [0087.185] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0087.186] lstrlenW (lpString="aldelo.exe") returned 10 [0087.186] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0087.187] lstrlenW (lpString="ccv_server.exe") returned 14 [0087.187] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0087.188] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0087.188] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0087.189] lstrlenW (lpString="creditservice.exe") returned 17 [0087.189] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0087.190] lstrlenW (lpString="edcsvr.exe") returned 10 [0087.190] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0087.191] lstrlenW (lpString="fpos.exe") returned 8 [0087.191] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0087.192] lstrlenW (lpString="isspos.exe") returned 10 [0087.192] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0087.197] lstrlenW (lpString="mxslipstream.exe") returned 16 [0087.197] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0087.198] lstrlenW (lpString="omnipos.exe") returned 11 [0087.198] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0087.198] lstrlenW (lpString="spcwin.exe") returned 10 [0087.198] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0087.199] lstrlenW (lpString="spgagentservice.exe") returned 19 [0087.199] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0087.200] lstrlenW (lpString="utg2.exe") returned 8 [0087.200] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0087.200] lstrlenW (lpString="forced-british.exe") returned 18 [0087.200] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0087.201] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0087.201] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0087.202] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0087.202] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0087.202] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0087.202] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0087.203] lstrlenW (lpString="kenya.exe") returned 9 [0087.203] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0087.204] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0087.204] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0087.204] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0087.204] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0087.205] lstrlenW (lpString="taskhost.exe") returned 12 [0087.205] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0087.206] lstrlenW (lpString="dmyurb.exe") returned 10 [0087.206] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0087.206] lstrlenW (lpString="cmd.exe") returned 7 [0087.206] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.207] lstrlenW (lpString="conhost.exe") returned 11 [0087.207] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0087.207] lstrlenW (lpString="vssadmin.exe") returned 12 [0087.207] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0087.208] lstrlenW (lpString="VSSVC.exe") returned 9 [0087.208] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.209] lstrlenW (lpString="svchost.exe") returned 11 [0087.209] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.209] lstrlenW (lpString="svchost.exe") returned 11 [0087.210] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0087.241] CloseHandle (hObject=0x214) returned 1 [0087.241] Sleep (dwMilliseconds=0x1f4) [0088.064] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df8f8 [0088.064] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0088.064] GetLastError () returned 0xea [0088.064] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x293ff8 [0088.064] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0088.065] CloseServiceHandle (hSCObject=0x2df8f8) returned 1 [0088.065] lstrlenW (lpString="Appinfo") returned 7 [0088.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0088.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0088.065] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0088.065] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0088.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0088.065] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0088.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0088.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0088.065] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0088.065] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0088.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0088.065] lstrlenW (lpString="AudioSrv") returned 8 [0088.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0088.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0088.065] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0088.066] lstrlenW (lpString="BFE") returned 3 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0088.066] lstrlenW (lpString="CryptSvc") returned 8 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0088.066] lstrlenW (lpString="CscService") returned 10 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0088.066] lstrlenW (lpString="DcomLaunch") returned 10 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0088.066] lstrlenW (lpString="Dhcp") returned 4 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0088.066] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0088.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0088.066] lstrlenW (lpString="Dnscache") returned 8 [0088.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0088.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0088.066] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0088.067] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0088.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0088.067] lstrlenW (lpString="DPS") returned 3 [0088.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0088.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0088.067] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0088.067] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0088.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0088.067] lstrlenW (lpString="eventlog") returned 8 [0088.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0088.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0088.067] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0088.067] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0088.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0088.067] lstrlenW (lpString="EventSystem") returned 11 [0088.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0088.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0088.067] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0088.067] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0088.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0088.067] lstrlenW (lpString="FontCache") returned 9 [0088.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0088.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0088.067] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0088.067] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0088.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0088.067] lstrlenW (lpString="gpsvc") returned 5 [0088.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0088.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0088.067] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0088.068] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0088.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0088.068] lstrlenW (lpString="iphlpsvc") returned 8 [0088.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0088.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0088.068] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0088.068] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0088.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0088.068] lstrlenW (lpString="LanmanServer") returned 12 [0088.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0088.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0088.068] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0088.068] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0088.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0088.068] lstrlenW (lpString="LanmanWorkstation") returned 17 [0088.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0088.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0088.068] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0088.068] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0088.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0088.068] lstrlenW (lpString="lmhosts") returned 7 [0088.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0088.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0088.068] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0088.068] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0088.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0088.068] lstrlenW (lpString="MMCSS") returned 5 [0088.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0088.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0088.069] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0088.069] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0088.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0088.069] lstrlenW (lpString="MpsSvc") returned 6 [0088.069] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0088.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0088.069] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0088.069] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0088.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0088.069] lstrlenW (lpString="Netman") returned 6 [0088.069] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0088.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0088.069] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0088.069] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0088.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0088.069] lstrlenW (lpString="netprofm") returned 8 [0088.069] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0088.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0088.069] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0088.069] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0088.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0088.069] lstrlenW (lpString="NlaSvc") returned 6 [0088.069] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0088.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0088.069] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0088.070] lstrlenW (lpString="nsi") returned 3 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0088.070] lstrlenW (lpString="PcaSvc") returned 6 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0088.070] lstrlenW (lpString="PlugPlay") returned 8 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0088.070] lstrlenW (lpString="Power") returned 5 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0088.070] lstrlenW (lpString="ProfSvc") returned 7 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0088.070] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0088.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0088.070] lstrlenW (lpString="RpcEptMapper") returned 12 [0088.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0088.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0088.070] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0088.071] lstrlenW (lpString="RpcSs") returned 5 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0088.071] lstrlenW (lpString="SamSs") returned 5 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0088.071] lstrlenW (lpString="Schedule") returned 8 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0088.071] lstrlenW (lpString="SENS") returned 4 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0088.071] lstrlenW (lpString="ShellHWDetection") returned 16 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0088.071] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0088.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0088.071] lstrlenW (lpString="Spooler") returned 7 [0088.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0088.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0088.071] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0088.072] lstrlenW (lpString="swprv") returned 5 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0088.072] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0088.072] lstrlenW (lpString="SysMain") returned 7 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0088.072] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0088.072] lstrlenW (lpString="Themes") returned 6 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0088.072] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0088.072] lstrlenW (lpString="TrkWks") returned 6 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0088.072] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0088.072] lstrlenW (lpString="UxSms") returned 5 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0088.072] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0088.072] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0088.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0088.072] lstrlenW (lpString="VSS") returned 3 [0088.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0088.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0088.073] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0088.073] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0088.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0088.073] lstrlenW (lpString="WdiServiceHost") returned 14 [0088.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0088.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0088.073] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0088.073] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0088.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0088.073] lstrlenW (lpString="WdiSystemHost") returned 13 [0088.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0088.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0088.073] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0088.073] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0088.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0088.073] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0088.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0088.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0088.073] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0088.073] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0088.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0088.073] lstrlenW (lpString="Winmgmt") returned 7 [0088.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0088.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0088.073] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0088.073] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0088.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0088.073] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0088.073] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x214 [0088.078] Process32FirstW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.078] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.079] lstrlenW (lpString="System") returned 6 [0088.079] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0088.079] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0088.079] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.079] lstrlenW (lpString="smss.exe") returned 8 [0088.080] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0088.080] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.080] lstrlenW (lpString="csrss.exe") returned 9 [0088.080] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0088.080] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0088.081] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0088.081] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0088.081] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0088.081] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0088.081] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.081] lstrlenW (lpString="wininit.exe") returned 11 [0088.081] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0088.081] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0088.081] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0088.081] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.082] lstrlenW (lpString="csrss.exe") returned 9 [0088.082] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.083] lstrlenW (lpString="winlogon.exe") returned 12 [0088.083] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.083] lstrlenW (lpString="services.exe") returned 12 [0088.083] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.084] lstrlenW (lpString="lsass.exe") returned 9 [0088.084] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0088.084] lstrlenW (lpString="lsm.exe") returned 7 [0088.084] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.085] lstrlenW (lpString="svchost.exe") returned 11 [0088.085] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.085] lstrlenW (lpString="svchost.exe") returned 11 [0088.085] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.086] lstrlenW (lpString="svchost.exe") returned 11 [0088.086] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.086] lstrlenW (lpString="svchost.exe") returned 11 [0088.087] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.087] lstrlenW (lpString="svchost.exe") returned 11 [0088.087] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0088.087] lstrlenW (lpString="audiodg.exe") returned 11 [0088.088] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.088] lstrlenW (lpString="svchost.exe") returned 11 [0088.088] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.089] lstrlenW (lpString="svchost.exe") returned 11 [0088.089] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.089] lstrlenW (lpString="dwm.exe") returned 7 [0088.089] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.090] lstrlenW (lpString="explorer.exe") returned 12 [0088.090] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.090] lstrlenW (lpString="spoolsv.exe") returned 11 [0088.090] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.091] lstrlenW (lpString="svchost.exe") returned 11 [0088.091] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0088.091] lstrlenW (lpString="taskhost.exe") returned 12 [0088.091] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0088.092] lstrlenW (lpString="taskeng.exe") returned 11 [0088.092] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0088.092] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0088.092] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0088.093] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0088.093] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0088.093] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0088.093] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0088.094] lstrlenW (lpString="celebration.exe") returned 15 [0088.094] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0088.095] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0088.095] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0088.095] lstrlenW (lpString="americansislamic.exe") returned 20 [0088.095] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0088.096] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0088.096] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0088.096] lstrlenW (lpString="sm-aud.exe") returned 10 [0088.097] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0088.097] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0088.097] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0088.098] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0088.098] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0088.098] lstrlenW (lpString="lap.exe") returned 7 [0088.098] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0088.099] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0088.099] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0088.099] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0088.099] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0088.163] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0088.163] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0088.164] lstrlenW (lpString="completion.exe") returned 14 [0088.164] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0088.165] lstrlenW (lpString="independently.exe") returned 17 [0088.165] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0088.165] lstrlenW (lpString="mel_kinase.exe") returned 14 [0088.165] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0088.166] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0088.166] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0088.167] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0088.167] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0088.167] lstrlenW (lpString="3dftp.exe") returned 9 [0088.167] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0088.168] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0088.168] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0088.168] lstrlenW (lpString="alftp.exe") returned 9 [0088.168] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0088.169] lstrlenW (lpString="barca.exe") returned 9 [0088.169] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0088.169] lstrlenW (lpString="bitkinex.exe") returned 12 [0088.169] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0088.170] lstrlenW (lpString="coreftp.exe") returned 11 [0088.170] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0088.170] lstrlenW (lpString="far.exe") returned 7 [0088.170] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0088.171] lstrlenW (lpString="filezilla.exe") returned 13 [0088.171] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0088.172] lstrlenW (lpString="flashfxp.exe") returned 12 [0088.172] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0088.172] lstrlenW (lpString="fling.exe") returned 9 [0088.172] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0088.173] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0088.173] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0088.173] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0088.173] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0088.174] lstrlenW (lpString="icq.exe") returned 7 [0088.174] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0088.175] lstrlenW (lpString="leechftp.exe") returned 12 [0088.175] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0088.176] lstrlenW (lpString="ncftp.exe") returned 9 [0088.176] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0088.177] lstrlenW (lpString="notepad.exe") returned 11 [0088.177] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0088.177] lstrlenW (lpString="operamail.exe") returned 13 [0088.177] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0088.179] lstrlenW (lpString="pidgin.exe") returned 10 [0088.179] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0088.180] lstrlenW (lpString="scriptftp.exe") returned 13 [0088.180] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0088.180] lstrlenW (lpString="skype.exe") returned 9 [0088.180] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0088.181] lstrlenW (lpString="smartftp.exe") returned 12 [0088.181] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0088.182] lstrlenW (lpString="thunderbird.exe") returned 15 [0088.182] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0088.183] lstrlenW (lpString="totalcmd.exe") returned 12 [0088.183] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0088.184] lstrlenW (lpString="trillian.exe") returned 12 [0088.184] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0088.185] lstrlenW (lpString="webdrive.exe") returned 12 [0088.185] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0088.185] lstrlenW (lpString="whatsapp.exe") returned 12 [0088.185] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0088.186] lstrlenW (lpString="winscp.exe") returned 10 [0088.186] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0088.187] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0088.187] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0088.188] lstrlenW (lpString="active-charge.exe") returned 17 [0088.188] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0088.189] lstrlenW (lpString="accupos.exe") returned 11 [0088.189] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0088.189] lstrlenW (lpString="afr38.exe") returned 9 [0088.189] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0088.190] lstrlenW (lpString="aldelo.exe") returned 10 [0088.190] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0088.191] lstrlenW (lpString="ccv_server.exe") returned 14 [0088.191] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0088.191] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0088.191] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0088.192] lstrlenW (lpString="creditservice.exe") returned 17 [0088.192] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0088.193] lstrlenW (lpString="edcsvr.exe") returned 10 [0088.193] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0088.194] lstrlenW (lpString="fpos.exe") returned 8 [0088.195] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0088.195] lstrlenW (lpString="isspos.exe") returned 10 [0088.195] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0088.196] lstrlenW (lpString="mxslipstream.exe") returned 16 [0088.196] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0088.197] lstrlenW (lpString="omnipos.exe") returned 11 [0088.197] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0088.198] lstrlenW (lpString="spcwin.exe") returned 10 [0088.198] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0088.198] lstrlenW (lpString="spgagentservice.exe") returned 19 [0088.198] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0088.199] lstrlenW (lpString="utg2.exe") returned 8 [0088.199] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0088.200] lstrlenW (lpString="forced-british.exe") returned 18 [0088.200] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0088.201] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0088.201] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0088.202] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0088.202] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0088.203] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0088.203] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0088.204] lstrlenW (lpString="kenya.exe") returned 9 [0088.204] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.205] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0088.205] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.205] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0088.205] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0088.206] lstrlenW (lpString="taskhost.exe") returned 12 [0088.206] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0088.207] lstrlenW (lpString="dmyurb.exe") returned 10 [0088.207] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0088.208] lstrlenW (lpString="cmd.exe") returned 7 [0088.208] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0088.208] lstrlenW (lpString="conhost.exe") returned 11 [0088.208] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0088.209] lstrlenW (lpString="vssadmin.exe") returned 12 [0088.209] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0088.214] lstrlenW (lpString="VSSVC.exe") returned 9 [0088.214] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.214] lstrlenW (lpString="svchost.exe") returned 11 [0088.214] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.215] lstrlenW (lpString="svchost.exe") returned 11 [0088.215] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0088.216] lstrlenW (lpString="LogonUI.exe") returned 11 [0088.216] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0088.216] CloseHandle (hObject=0x214) returned 1 [0088.217] Sleep (dwMilliseconds=0x1f4) [0088.725] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df8f8 [0088.726] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0088.727] GetLastError () returned 0xea [0088.727] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x293ff8 [0088.727] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0088.728] CloseServiceHandle (hSCObject=0x2df8f8) returned 1 [0088.729] lstrlenW (lpString="Appinfo") returned 7 [0088.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0088.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0088.729] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0088.729] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0088.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0088.729] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0088.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0088.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0088.729] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0088.729] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0088.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0088.729] lstrlenW (lpString="AudioSrv") returned 8 [0088.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0088.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0088.729] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0088.729] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0088.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0088.729] lstrlenW (lpString="BFE") returned 3 [0088.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0088.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0088.729] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0088.729] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0088.730] lstrlenW (lpString="CryptSvc") returned 8 [0088.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0088.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0088.730] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0088.730] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0088.730] lstrlenW (lpString="CscService") returned 10 [0088.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0088.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0088.730] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0088.730] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0088.730] lstrlenW (lpString="DcomLaunch") returned 10 [0088.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0088.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0088.730] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0088.730] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0088.730] lstrlenW (lpString="Dhcp") returned 4 [0088.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0088.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0088.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0088.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0088.730] lstrlenW (lpString="Dnscache") returned 8 [0088.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0088.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0088.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0088.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0088.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0088.730] lstrlenW (lpString="DPS") returned 3 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0088.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0088.731] lstrlenW (lpString="eventlog") returned 8 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0088.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0088.731] lstrlenW (lpString="EventSystem") returned 11 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0088.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0088.731] lstrlenW (lpString="FontCache") returned 9 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0088.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0088.731] lstrlenW (lpString="gpsvc") returned 5 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0088.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0088.731] lstrlenW (lpString="iphlpsvc") returned 8 [0088.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0088.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0088.731] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0088.731] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0088.732] lstrlenW (lpString="LanmanServer") returned 12 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0088.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0088.732] lstrlenW (lpString="LanmanWorkstation") returned 17 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0088.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0088.732] lstrlenW (lpString="lmhosts") returned 7 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0088.732] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0088.732] lstrlenW (lpString="MMCSS") returned 5 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0088.732] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0088.732] lstrlenW (lpString="MpsSvc") returned 6 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0088.732] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0088.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0088.732] lstrlenW (lpString="Netman") returned 6 [0088.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0088.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0088.732] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0088.733] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0088.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0088.733] lstrlenW (lpString="netprofm") returned 8 [0088.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0088.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0088.733] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0088.733] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0088.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0088.733] lstrlenW (lpString="NlaSvc") returned 6 [0088.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0088.733] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0088.733] lstrlenW (lpString="nsi") returned 3 [0088.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0088.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0088.733] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0088.733] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0088.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0088.733] lstrlenW (lpString="PcaSvc") returned 6 [0088.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0088.733] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0088.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0088.733] lstrlenW (lpString="PlugPlay") returned 8 [0088.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0088.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0088.734] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0088.734] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0088.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0088.734] lstrlenW (lpString="Power") returned 5 [0088.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0088.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0088.734] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0088.734] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0088.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0088.734] lstrlenW (lpString="ProfSvc") returned 7 [0088.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0088.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0088.734] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0088.734] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0088.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0088.734] lstrlenW (lpString="RpcEptMapper") returned 12 [0088.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0088.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0088.734] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0088.734] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0088.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0088.734] lstrlenW (lpString="RpcSs") returned 5 [0088.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0088.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0088.734] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0088.734] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0088.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0088.735] lstrlenW (lpString="SamSs") returned 5 [0088.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0088.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0088.735] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0088.735] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0088.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0088.735] lstrlenW (lpString="Schedule") returned 8 [0088.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0088.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0088.735] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0088.735] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0088.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0088.735] lstrlenW (lpString="SENS") returned 4 [0088.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0088.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0088.735] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0088.735] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0088.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0088.735] lstrlenW (lpString="ShellHWDetection") returned 16 [0088.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0088.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0088.735] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0088.735] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0088.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0088.735] lstrlenW (lpString="Spooler") returned 7 [0088.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0088.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0088.735] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0088.736] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0088.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0088.736] lstrlenW (lpString="swprv") returned 5 [0088.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0088.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0088.736] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0088.736] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0088.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0088.736] lstrlenW (lpString="SysMain") returned 7 [0088.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0088.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0088.736] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0088.736] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0088.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0088.736] lstrlenW (lpString="Themes") returned 6 [0088.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0088.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0088.736] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0088.736] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0088.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0088.736] lstrlenW (lpString="TrkWks") returned 6 [0088.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0088.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0088.736] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0088.736] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0088.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0088.736] lstrlenW (lpString="UxSms") returned 5 [0088.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0088.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0088.737] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0088.737] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0088.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0088.737] lstrlenW (lpString="VSS") returned 3 [0088.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0088.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0088.737] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0088.737] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0088.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0088.737] lstrlenW (lpString="WdiServiceHost") returned 14 [0088.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0088.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0088.737] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0088.737] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0088.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0088.737] lstrlenW (lpString="WdiSystemHost") returned 13 [0088.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0088.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0088.737] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0088.737] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0088.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0088.737] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0088.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0088.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0088.737] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0088.738] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0088.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0088.738] lstrlenW (lpString="Winmgmt") returned 7 [0088.738] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0088.738] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0088.738] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0088.738] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0088.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0088.738] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0088.738] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x214 [0088.744] Process32FirstW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.744] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.745] lstrlenW (lpString="System") returned 6 [0088.745] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0088.745] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0088.745] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.746] lstrlenW (lpString="smss.exe") returned 8 [0088.746] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0088.746] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0088.746] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.747] lstrlenW (lpString="csrss.exe") returned 9 [0088.747] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0088.747] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0088.747] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0088.747] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0088.747] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0088.747] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0088.747] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0088.747] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.748] lstrlenW (lpString="wininit.exe") returned 11 [0088.748] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0088.748] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0088.748] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0088.748] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.749] lstrlenW (lpString="csrss.exe") returned 9 [0088.749] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.750] lstrlenW (lpString="winlogon.exe") returned 12 [0088.750] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.750] lstrlenW (lpString="services.exe") returned 12 [0088.750] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.751] lstrlenW (lpString="lsass.exe") returned 9 [0088.751] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0088.752] lstrlenW (lpString="lsm.exe") returned 7 [0088.752] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.752] lstrlenW (lpString="svchost.exe") returned 11 [0088.753] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.753] lstrlenW (lpString="svchost.exe") returned 11 [0088.753] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.754] lstrlenW (lpString="svchost.exe") returned 11 [0088.754] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.755] lstrlenW (lpString="svchost.exe") returned 11 [0088.755] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.755] lstrlenW (lpString="svchost.exe") returned 11 [0088.756] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0088.756] lstrlenW (lpString="audiodg.exe") returned 11 [0088.756] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.757] lstrlenW (lpString="svchost.exe") returned 11 [0088.757] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.758] lstrlenW (lpString="svchost.exe") returned 11 [0088.758] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.758] lstrlenW (lpString="dwm.exe") returned 7 [0088.758] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.759] lstrlenW (lpString="explorer.exe") returned 12 [0088.759] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.760] lstrlenW (lpString="spoolsv.exe") returned 11 [0088.760] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.760] lstrlenW (lpString="svchost.exe") returned 11 [0088.760] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0088.761] lstrlenW (lpString="taskhost.exe") returned 12 [0088.761] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0088.762] lstrlenW (lpString="taskeng.exe") returned 11 [0088.762] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0088.762] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0088.762] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0088.763] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0088.763] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0088.764] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0088.764] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0088.765] lstrlenW (lpString="celebration.exe") returned 15 [0088.765] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0088.765] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0088.765] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0088.766] lstrlenW (lpString="americansislamic.exe") returned 20 [0088.766] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0088.767] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0088.767] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0088.767] lstrlenW (lpString="sm-aud.exe") returned 10 [0088.767] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0088.768] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0088.768] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0088.769] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0088.769] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0088.769] lstrlenW (lpString="lap.exe") returned 7 [0088.770] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0088.770] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0088.770] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0088.772] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0088.772] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0088.773] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0088.773] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0088.773] lstrlenW (lpString="completion.exe") returned 14 [0088.774] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0088.774] lstrlenW (lpString="independently.exe") returned 17 [0088.774] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0088.775] lstrlenW (lpString="mel_kinase.exe") returned 14 [0088.775] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0088.776] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0088.776] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0088.776] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0088.776] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0088.777] lstrlenW (lpString="3dftp.exe") returned 9 [0088.777] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0088.778] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0088.778] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0088.778] lstrlenW (lpString="alftp.exe") returned 9 [0088.778] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0088.779] lstrlenW (lpString="barca.exe") returned 9 [0088.779] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0088.780] lstrlenW (lpString="bitkinex.exe") returned 12 [0088.780] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0088.780] lstrlenW (lpString="coreftp.exe") returned 11 [0088.780] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0088.781] lstrlenW (lpString="far.exe") returned 7 [0088.781] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0088.782] lstrlenW (lpString="filezilla.exe") returned 13 [0088.782] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0088.782] lstrlenW (lpString="flashfxp.exe") returned 12 [0088.783] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0088.783] lstrlenW (lpString="fling.exe") returned 9 [0088.783] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0088.784] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0088.784] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0088.785] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0088.785] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0088.785] lstrlenW (lpString="icq.exe") returned 7 [0088.785] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0088.786] lstrlenW (lpString="leechftp.exe") returned 12 [0088.786] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0088.788] lstrlenW (lpString="ncftp.exe") returned 9 [0088.788] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0088.789] lstrlenW (lpString="notepad.exe") returned 11 [0088.789] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0088.790] lstrlenW (lpString="operamail.exe") returned 13 [0088.790] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0088.791] lstrlenW (lpString="pidgin.exe") returned 10 [0088.791] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0088.792] lstrlenW (lpString="scriptftp.exe") returned 13 [0088.793] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0088.794] lstrlenW (lpString="skype.exe") returned 9 [0088.794] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0088.795] lstrlenW (lpString="smartftp.exe") returned 12 [0088.795] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0088.796] lstrlenW (lpString="thunderbird.exe") returned 15 [0088.796] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0088.797] lstrlenW (lpString="totalcmd.exe") returned 12 [0088.797] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0088.798] lstrlenW (lpString="trillian.exe") returned 12 [0088.798] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0088.799] lstrlenW (lpString="webdrive.exe") returned 12 [0088.799] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0088.800] lstrlenW (lpString="whatsapp.exe") returned 12 [0088.800] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0088.801] lstrlenW (lpString="winscp.exe") returned 10 [0088.801] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0088.802] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0088.802] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0088.803] lstrlenW (lpString="active-charge.exe") returned 17 [0088.803] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0088.804] lstrlenW (lpString="accupos.exe") returned 11 [0088.804] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0088.805] lstrlenW (lpString="afr38.exe") returned 9 [0088.805] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0088.806] lstrlenW (lpString="aldelo.exe") returned 10 [0088.806] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0088.807] lstrlenW (lpString="ccv_server.exe") returned 14 [0088.807] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0088.808] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0088.808] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0088.808] lstrlenW (lpString="creditservice.exe") returned 17 [0088.809] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0088.809] lstrlenW (lpString="edcsvr.exe") returned 10 [0088.809] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0088.810] lstrlenW (lpString="fpos.exe") returned 8 [0088.810] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0088.811] lstrlenW (lpString="isspos.exe") returned 10 [0088.811] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0088.812] lstrlenW (lpString="mxslipstream.exe") returned 16 [0088.812] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0088.813] lstrlenW (lpString="omnipos.exe") returned 11 [0088.813] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0088.814] lstrlenW (lpString="spcwin.exe") returned 10 [0088.814] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0088.815] lstrlenW (lpString="spgagentservice.exe") returned 19 [0088.815] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0088.816] lstrlenW (lpString="utg2.exe") returned 8 [0088.816] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0088.817] lstrlenW (lpString="forced-british.exe") returned 18 [0088.817] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0088.818] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0088.818] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0088.819] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0088.819] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0088.820] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0088.820] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0088.821] lstrlenW (lpString="kenya.exe") returned 9 [0088.821] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.821] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0088.821] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.822] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0088.822] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0088.823] lstrlenW (lpString="taskhost.exe") returned 12 [0088.823] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0088.824] lstrlenW (lpString="dmyurb.exe") returned 10 [0088.824] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0088.825] lstrlenW (lpString="cmd.exe") returned 7 [0088.825] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0088.826] lstrlenW (lpString="conhost.exe") returned 11 [0088.826] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0088.826] lstrlenW (lpString="vssadmin.exe") returned 12 [0088.826] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0088.827] lstrlenW (lpString="VSSVC.exe") returned 9 [0088.827] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.828] lstrlenW (lpString="svchost.exe") returned 11 [0088.828] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.828] lstrlenW (lpString="svchost.exe") returned 11 [0088.829] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0088.829] lstrlenW (lpString="LogonUI.exe") returned 11 [0088.829] Process32NextW (in: hSnapshot=0x214, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0088.830] CloseHandle (hObject=0x214) returned 1 [0088.830] Sleep (dwMilliseconds=0x1f4) [0089.679] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2df8f8 [0089.680] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0089.680] GetLastError () returned 0xea [0089.680] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x293ff8 [0089.680] EnumServicesStatusExW (in: hSCManager=0x2df8f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0089.681] CloseServiceHandle (hSCObject=0x2df8f8) returned 1 [0089.681] lstrlenW (lpString="Appinfo") returned 7 [0089.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0089.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0089.681] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0089.681] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0089.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0089.681] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0089.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0089.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0089.681] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0089.681] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0089.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0089.681] lstrlenW (lpString="AudioSrv") returned 8 [0089.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0089.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0089.681] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0089.681] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0089.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0089.681] lstrlenW (lpString="BFE") returned 3 [0089.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0089.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0089.682] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0089.682] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0089.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0089.682] lstrlenW (lpString="CryptSvc") returned 8 [0089.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0089.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0089.682] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0089.682] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0089.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0089.682] lstrlenW (lpString="CscService") returned 10 [0089.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0089.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0089.682] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0089.682] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0089.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0089.682] lstrlenW (lpString="DcomLaunch") returned 10 [0089.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0089.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0089.682] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0089.682] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0089.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0089.682] lstrlenW (lpString="Dhcp") returned 4 [0089.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0089.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0089.682] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0089.682] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0089.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0089.682] lstrlenW (lpString="Dnscache") returned 8 [0089.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0089.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0089.683] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0089.683] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0089.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0089.683] lstrlenW (lpString="DPS") returned 3 [0089.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0089.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0089.683] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0089.683] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0089.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0089.683] lstrlenW (lpString="eventlog") returned 8 [0089.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0089.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0089.683] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0089.683] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0089.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0089.683] lstrlenW (lpString="EventSystem") returned 11 [0089.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0089.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0089.683] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0089.683] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0089.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0089.683] lstrlenW (lpString="FontCache") returned 9 [0089.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0089.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0089.683] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0089.683] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0089.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0089.684] lstrlenW (lpString="gpsvc") returned 5 [0089.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0089.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0089.684] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0089.684] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0089.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0089.684] lstrlenW (lpString="iphlpsvc") returned 8 [0089.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0089.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0089.684] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0089.684] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0089.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0089.684] lstrlenW (lpString="LanmanServer") returned 12 [0089.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0089.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0089.684] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0089.684] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0089.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0089.684] lstrlenW (lpString="LanmanWorkstation") returned 17 [0089.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0089.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0089.684] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0089.684] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0089.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0089.684] lstrlenW (lpString="lmhosts") returned 7 [0089.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0089.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0089.684] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0089.684] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0089.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0089.685] lstrlenW (lpString="MMCSS") returned 5 [0089.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0089.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0089.685] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0089.685] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0089.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0089.685] lstrlenW (lpString="MpsSvc") returned 6 [0089.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0089.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0089.685] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0089.685] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0089.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0089.685] lstrlenW (lpString="Netman") returned 6 [0089.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0089.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0089.685] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0089.685] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0089.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0089.685] lstrlenW (lpString="netprofm") returned 8 [0089.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0089.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0089.685] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0089.685] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0089.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0089.685] lstrlenW (lpString="NlaSvc") returned 6 [0089.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0089.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0089.685] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0089.685] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0089.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0089.686] lstrlenW (lpString="nsi") returned 3 [0089.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0089.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0089.686] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0089.686] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0089.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0089.686] lstrlenW (lpString="PcaSvc") returned 6 [0089.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0089.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0089.686] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0089.686] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0089.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0089.686] lstrlenW (lpString="PlugPlay") returned 8 [0089.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0089.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0089.686] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0089.686] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0089.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0089.686] lstrlenW (lpString="Power") returned 5 [0089.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0089.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0089.686] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0089.686] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0089.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0089.686] lstrlenW (lpString="ProfSvc") returned 7 [0089.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0089.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0089.686] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0089.686] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0089.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0089.687] lstrlenW (lpString="RpcEptMapper") returned 12 [0089.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0089.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0089.687] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0089.687] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0089.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0089.687] lstrlenW (lpString="RpcSs") returned 5 [0089.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0089.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0089.687] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0089.687] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0089.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0089.687] lstrlenW (lpString="SamSs") returned 5 [0089.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0089.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0089.687] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0089.687] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0089.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0089.687] lstrlenW (lpString="Schedule") returned 8 [0089.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0089.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0089.687] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0089.687] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0089.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0089.687] lstrlenW (lpString="SENS") returned 4 [0089.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0089.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0089.687] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0089.687] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0089.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0089.688] lstrlenW (lpString="ShellHWDetection") returned 16 [0089.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0089.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0089.688] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0089.688] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0089.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0089.688] lstrlenW (lpString="Spooler") returned 7 [0089.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0089.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0089.688] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0089.688] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0089.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0089.688] lstrlenW (lpString="swprv") returned 5 [0089.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0089.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0089.688] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0089.688] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0089.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0089.688] lstrlenW (lpString="SysMain") returned 7 [0089.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0089.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0089.688] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0089.688] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0089.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0089.688] lstrlenW (lpString="Themes") returned 6 [0089.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0089.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0089.688] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0089.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0089.689] lstrlenW (lpString="TrkWks") returned 6 [0089.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0089.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0089.689] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0089.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0089.689] lstrlenW (lpString="UxSms") returned 5 [0089.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0089.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0089.689] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0089.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0089.689] lstrlenW (lpString="VSS") returned 3 [0089.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0089.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0089.689] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0089.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0089.689] lstrlenW (lpString="WdiServiceHost") returned 14 [0089.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0089.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0089.689] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0089.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0089.689] lstrlenW (lpString="WdiSystemHost") returned 13 [0089.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0089.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0089.689] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0089.689] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0089.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0089.690] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0089.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0089.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0089.690] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0089.690] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0089.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0089.690] lstrlenW (lpString="Winmgmt") returned 7 [0089.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0089.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0089.690] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0089.690] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0089.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0089.690] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0089.690] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d8 [0089.697] Process32FirstW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0089.697] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0089.698] lstrlenW (lpString="System") returned 6 [0089.698] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0089.698] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0089.698] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0089.699] lstrlenW (lpString="smss.exe") returned 8 [0089.699] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0089.699] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0089.699] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0089.700] lstrlenW (lpString="csrss.exe") returned 9 [0089.700] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0089.700] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0089.700] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0089.700] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0089.700] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0089.700] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0089.700] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0089.700] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0089.701] lstrlenW (lpString="wininit.exe") returned 11 [0089.701] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0089.701] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0089.701] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0089.701] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0089.702] lstrlenW (lpString="csrss.exe") returned 9 [0089.702] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0089.702] lstrlenW (lpString="winlogon.exe") returned 12 [0089.702] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0089.703] lstrlenW (lpString="services.exe") returned 12 [0089.703] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0089.703] lstrlenW (lpString="lsass.exe") returned 9 [0089.703] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0089.704] lstrlenW (lpString="lsm.exe") returned 7 [0089.704] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.705] lstrlenW (lpString="svchost.exe") returned 11 [0089.705] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.705] lstrlenW (lpString="svchost.exe") returned 11 [0089.705] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.706] lstrlenW (lpString="svchost.exe") returned 11 [0089.706] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.707] lstrlenW (lpString="svchost.exe") returned 11 [0089.707] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.707] lstrlenW (lpString="svchost.exe") returned 11 [0089.707] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0089.708] lstrlenW (lpString="audiodg.exe") returned 11 [0089.708] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.709] lstrlenW (lpString="svchost.exe") returned 11 [0089.709] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.709] lstrlenW (lpString="svchost.exe") returned 11 [0089.709] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0089.710] lstrlenW (lpString="dwm.exe") returned 7 [0089.710] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0089.710] lstrlenW (lpString="explorer.exe") returned 12 [0089.711] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0089.711] lstrlenW (lpString="spoolsv.exe") returned 11 [0089.711] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.712] lstrlenW (lpString="svchost.exe") returned 11 [0089.712] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0089.712] lstrlenW (lpString="taskhost.exe") returned 12 [0089.712] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0089.713] lstrlenW (lpString="taskeng.exe") returned 11 [0089.713] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0089.714] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0089.714] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0089.714] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0089.714] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0089.715] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0089.715] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0089.716] lstrlenW (lpString="celebration.exe") returned 15 [0089.716] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0089.716] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0089.716] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0089.717] lstrlenW (lpString="americansislamic.exe") returned 20 [0089.717] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0089.717] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0089.717] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0089.718] lstrlenW (lpString="sm-aud.exe") returned 10 [0089.718] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0089.719] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0089.719] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0089.719] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0089.719] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0089.720] lstrlenW (lpString="lap.exe") returned 7 [0089.720] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0089.721] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0089.721] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0089.721] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0089.721] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0089.722] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0089.722] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0089.722] lstrlenW (lpString="completion.exe") returned 14 [0090.137] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0090.137] lstrlenW (lpString="independently.exe") returned 17 [0090.137] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0090.138] lstrlenW (lpString="mel_kinase.exe") returned 14 [0090.138] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0090.139] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0090.139] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0090.139] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0090.139] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0090.140] lstrlenW (lpString="3dftp.exe") returned 9 [0090.140] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0090.140] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0090.141] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0090.141] lstrlenW (lpString="alftp.exe") returned 9 [0090.141] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0090.142] lstrlenW (lpString="barca.exe") returned 9 [0090.142] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0090.142] lstrlenW (lpString="bitkinex.exe") returned 12 [0090.142] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0090.143] lstrlenW (lpString="coreftp.exe") returned 11 [0090.143] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0090.144] lstrlenW (lpString="far.exe") returned 7 [0090.144] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0090.144] lstrlenW (lpString="filezilla.exe") returned 13 [0090.144] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0090.145] lstrlenW (lpString="flashfxp.exe") returned 12 [0090.145] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0090.146] lstrlenW (lpString="fling.exe") returned 9 [0090.146] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0090.146] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0090.146] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0090.147] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0090.147] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0090.147] lstrlenW (lpString="icq.exe") returned 7 [0090.147] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0090.148] lstrlenW (lpString="leechftp.exe") returned 12 [0090.148] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0090.149] lstrlenW (lpString="ncftp.exe") returned 9 [0090.149] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.150] lstrlenW (lpString="notepad.exe") returned 11 [0090.150] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0090.151] lstrlenW (lpString="operamail.exe") returned 13 [0090.151] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0090.152] lstrlenW (lpString="pidgin.exe") returned 10 [0090.152] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0090.153] lstrlenW (lpString="scriptftp.exe") returned 13 [0090.153] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0090.154] lstrlenW (lpString="skype.exe") returned 9 [0090.154] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0090.155] lstrlenW (lpString="smartftp.exe") returned 12 [0090.155] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0090.156] lstrlenW (lpString="thunderbird.exe") returned 15 [0090.156] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0090.157] lstrlenW (lpString="totalcmd.exe") returned 12 [0090.157] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0090.158] lstrlenW (lpString="trillian.exe") returned 12 [0090.158] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0090.158] lstrlenW (lpString="webdrive.exe") returned 12 [0090.159] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0090.160] lstrlenW (lpString="whatsapp.exe") returned 12 [0090.160] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0090.161] lstrlenW (lpString="winscp.exe") returned 10 [0090.161] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0090.162] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0090.162] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0090.163] lstrlenW (lpString="active-charge.exe") returned 17 [0090.163] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0090.164] lstrlenW (lpString="accupos.exe") returned 11 [0090.164] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0090.164] lstrlenW (lpString="afr38.exe") returned 9 [0090.164] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0090.165] lstrlenW (lpString="aldelo.exe") returned 10 [0090.165] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0090.166] lstrlenW (lpString="ccv_server.exe") returned 14 [0090.166] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0090.167] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0090.167] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0090.168] lstrlenW (lpString="creditservice.exe") returned 17 [0090.168] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0090.169] lstrlenW (lpString="edcsvr.exe") returned 10 [0090.169] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0090.170] lstrlenW (lpString="fpos.exe") returned 8 [0090.170] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0090.170] lstrlenW (lpString="isspos.exe") returned 10 [0090.171] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0090.171] lstrlenW (lpString="mxslipstream.exe") returned 16 [0090.171] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0090.172] lstrlenW (lpString="omnipos.exe") returned 11 [0090.172] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0090.173] lstrlenW (lpString="spcwin.exe") returned 10 [0090.173] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0090.174] lstrlenW (lpString="spgagentservice.exe") returned 19 [0090.174] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0090.175] lstrlenW (lpString="utg2.exe") returned 8 [0090.175] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0090.406] lstrlenW (lpString="forced-british.exe") returned 18 [0090.406] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0090.407] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0090.407] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0090.407] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0090.407] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0090.408] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0090.408] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0090.408] lstrlenW (lpString="kenya.exe") returned 9 [0090.409] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.409] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0090.409] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.410] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0090.410] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.411] lstrlenW (lpString="taskhost.exe") returned 12 [0090.411] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0090.411] lstrlenW (lpString="dmyurb.exe") returned 10 [0090.412] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0090.412] lstrlenW (lpString="cmd.exe") returned 7 [0090.412] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.413] lstrlenW (lpString="conhost.exe") returned 11 [0090.413] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0090.413] lstrlenW (lpString="vssadmin.exe") returned 12 [0090.413] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0090.414] lstrlenW (lpString="VSSVC.exe") returned 9 [0090.414] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.415] lstrlenW (lpString="svchost.exe") returned 11 [0090.415] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.415] lstrlenW (lpString="svchost.exe") returned 11 [0090.415] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0090.416] lstrlenW (lpString="LogonUI.exe") returned 11 [0090.416] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0090.417] CloseHandle (hObject=0x1d8) returned 1 [0090.417] Sleep (dwMilliseconds=0x1f4) [0092.536] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x275c00 [0092.537] EnumServicesStatusExW (in: hSCManager=0x275c00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 0 [0092.537] GetLastError () returned 0xea [0092.537] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x12b4) returned 0x293ff8 [0092.537] EnumServicesStatusExW (in: hSCManager=0x275c00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x293ff8, cbBufSize=0x12b4, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x293ff8, pcbBytesNeeded=0x215ff44, lpServicesReturned=0x215ff5c, lpResumeHandle=0x0) returned 1 [0092.538] CloseServiceHandle (hSCObject=0x275c00) returned 1 [0092.538] lstrlenW (lpString="Appinfo") returned 7 [0092.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0092.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0092.538] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0092.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0092.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0092.538] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0092.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0092.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0092.538] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0092.538] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0092.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0092.538] lstrlenW (lpString="AudioSrv") returned 8 [0092.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0092.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0092.539] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0092.539] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0092.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0092.539] lstrlenW (lpString="BFE") returned 3 [0092.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0092.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0092.539] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0092.539] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0092.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0092.539] lstrlenW (lpString="CryptSvc") returned 8 [0092.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0092.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0092.539] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0092.539] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0092.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0092.539] lstrlenW (lpString="CscService") returned 10 [0092.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0092.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0092.539] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0092.539] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0092.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0092.539] lstrlenW (lpString="DcomLaunch") returned 10 [0092.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0092.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0092.539] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0092.540] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0092.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0092.540] lstrlenW (lpString="Dhcp") returned 4 [0092.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0092.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0092.540] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0092.540] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0092.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0092.540] lstrlenW (lpString="Dnscache") returned 8 [0092.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0092.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0092.540] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0092.540] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0092.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0092.540] lstrlenW (lpString="DPS") returned 3 [0092.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0092.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0092.540] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0092.540] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0092.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0092.540] lstrlenW (lpString="eventlog") returned 8 [0092.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0092.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0092.540] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0092.540] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0092.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0092.540] lstrlenW (lpString="EventSystem") returned 11 [0092.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0092.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0092.541] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0092.541] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0092.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0092.541] lstrlenW (lpString="FontCache") returned 9 [0092.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0092.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0092.541] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0092.541] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0092.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0092.541] lstrlenW (lpString="gpsvc") returned 5 [0092.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0092.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0092.541] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0092.541] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0092.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0092.541] lstrlenW (lpString="iphlpsvc") returned 8 [0092.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0092.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0092.541] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0092.541] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0092.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0092.541] lstrlenW (lpString="LanmanServer") returned 12 [0092.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0092.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0092.541] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0092.542] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0092.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0092.542] lstrlenW (lpString="LanmanWorkstation") returned 17 [0092.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0092.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0092.542] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0092.542] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0092.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0092.542] lstrlenW (lpString="lmhosts") returned 7 [0092.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0092.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0092.542] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0092.542] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0092.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0092.542] lstrlenW (lpString="MMCSS") returned 5 [0092.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0092.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0092.543] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0092.543] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0092.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0092.543] lstrlenW (lpString="MpsSvc") returned 6 [0092.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0092.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0092.543] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0092.543] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0092.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0092.543] lstrlenW (lpString="Netman") returned 6 [0092.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0092.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0092.543] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0092.543] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0092.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0092.543] lstrlenW (lpString="netprofm") returned 8 [0092.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0092.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0092.543] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0092.543] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0092.543] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0092.543] lstrlenW (lpString="NlaSvc") returned 6 [0092.543] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0092.543] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0092.543] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0092.544] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0092.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0092.544] lstrlenW (lpString="nsi") returned 3 [0092.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0092.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0092.544] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0092.544] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0092.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0092.544] lstrlenW (lpString="PcaSvc") returned 6 [0092.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0092.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0092.544] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0092.544] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0092.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0092.544] lstrlenW (lpString="PlugPlay") returned 8 [0092.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0092.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0092.544] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0092.544] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0092.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0092.544] lstrlenW (lpString="Power") returned 5 [0092.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0092.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0092.544] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0092.544] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0092.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0092.544] lstrlenW (lpString="ProfSvc") returned 7 [0092.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0092.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0092.545] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0092.545] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0092.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0092.545] lstrlenW (lpString="RpcEptMapper") returned 12 [0092.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0092.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0092.545] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0092.545] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0092.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0092.545] lstrlenW (lpString="RpcSs") returned 5 [0092.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0092.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0092.545] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0092.545] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0092.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0092.545] lstrlenW (lpString="SamSs") returned 5 [0092.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0092.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0092.545] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0092.545] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0092.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0092.545] lstrlenW (lpString="Schedule") returned 8 [0092.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0092.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0092.545] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0092.545] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0092.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0092.546] lstrlenW (lpString="SENS") returned 4 [0092.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0092.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0092.546] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0092.546] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0092.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0092.546] lstrlenW (lpString="ShellHWDetection") returned 16 [0092.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0092.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0092.546] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0092.546] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0092.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0092.546] lstrlenW (lpString="Spooler") returned 7 [0092.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0092.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0092.546] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0092.546] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0092.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0092.546] lstrlenW (lpString="swprv") returned 5 [0092.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0092.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0092.547] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0092.547] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0092.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0092.547] lstrlenW (lpString="SysMain") returned 7 [0092.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0092.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0092.547] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0092.547] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0092.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0092.547] lstrlenW (lpString="Themes") returned 6 [0092.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0092.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0092.547] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0092.547] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0092.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0092.547] lstrlenW (lpString="TrkWks") returned 6 [0092.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0092.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0092.547] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0092.547] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0092.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0092.547] lstrlenW (lpString="UxSms") returned 5 [0092.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0092.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0092.548] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0092.548] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0092.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0092.548] lstrlenW (lpString="VSS") returned 3 [0092.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0092.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0092.548] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0092.548] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0092.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0092.548] lstrlenW (lpString="WdiServiceHost") returned 14 [0092.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0092.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0092.548] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0092.548] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0092.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0092.548] lstrlenW (lpString="WdiSystemHost") returned 13 [0092.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0092.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0092.548] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0092.548] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0092.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0092.548] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0092.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0092.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0092.548] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0092.548] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0092.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0092.549] lstrlenW (lpString="Winmgmt") returned 7 [0092.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0092.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0092.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0092.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0092.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0092.549] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x293ff8 | out: hHeap=0x240000) returned 1 [0092.549] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d8 [0092.554] Process32FirstW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.555] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0092.556] lstrlenW (lpString="System") returned 6 [0092.556] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0092.556] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0092.556] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0092.557] lstrlenW (lpString="smss.exe") returned 8 [0092.557] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0092.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0092.557] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0092.557] lstrlenW (lpString="csrss.exe") returned 9 [0092.558] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0092.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0092.558] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0092.558] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0092.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0092.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0092.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0092.558] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0092.558] lstrlenW (lpString="wininit.exe") returned 11 [0092.558] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0092.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0092.559] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0092.559] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0092.559] lstrlenW (lpString="csrss.exe") returned 9 [0092.559] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0092.560] lstrlenW (lpString="winlogon.exe") returned 12 [0092.560] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0092.561] lstrlenW (lpString="services.exe") returned 12 [0092.561] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0092.561] lstrlenW (lpString="lsass.exe") returned 9 [0092.562] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0092.562] lstrlenW (lpString="lsm.exe") returned 7 [0092.562] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.563] lstrlenW (lpString="svchost.exe") returned 11 [0092.563] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.564] lstrlenW (lpString="svchost.exe") returned 11 [0092.564] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.564] lstrlenW (lpString="svchost.exe") returned 11 [0092.565] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.565] lstrlenW (lpString="svchost.exe") returned 11 [0092.565] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.566] lstrlenW (lpString="svchost.exe") returned 11 [0092.566] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0092.567] lstrlenW (lpString="audiodg.exe") returned 11 [0092.567] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.567] lstrlenW (lpString="svchost.exe") returned 11 [0092.567] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.568] lstrlenW (lpString="svchost.exe") returned 11 [0092.568] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0092.569] lstrlenW (lpString="dwm.exe") returned 7 [0092.569] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0092.569] lstrlenW (lpString="explorer.exe") returned 12 [0092.569] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0092.570] lstrlenW (lpString="spoolsv.exe") returned 11 [0092.570] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.571] lstrlenW (lpString="svchost.exe") returned 11 [0092.571] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0092.571] lstrlenW (lpString="taskhost.exe") returned 12 [0092.571] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0092.572] lstrlenW (lpString="taskeng.exe") returned 11 [0092.572] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="attacked-illustrated-biological.exe")) returned 1 [0092.573] lstrlenW (lpString="attacked-illustrated-biological.exe") returned 35 [0092.573] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lauderdale_armenia_operated.exe")) returned 1 [0092.573] lstrlenW (lpString="lauderdale_armenia_operated.exe") returned 31 [0092.573] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="intersection-career-fed.exe")) returned 1 [0092.574] lstrlenW (lpString="intersection-career-fed.exe") returned 27 [0092.574] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="celebration.exe")) returned 1 [0092.575] lstrlenW (lpString="celebration.exe") returned 15 [0092.575] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="view_victim_writer.exe")) returned 1 [0092.575] lstrlenW (lpString="view_victim_writer.exe") returned 22 [0092.575] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="americansislamic.exe")) returned 1 [0092.576] lstrlenW (lpString="americansislamic.exe") returned 20 [0092.576] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="enterprisesreformdame.exe")) returned 1 [0092.577] lstrlenW (lpString="enterprisesreformdame.exe") returned 25 [0092.577] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sm-aud.exe")) returned 1 [0092.831] lstrlenW (lpString="sm-aud.exe") returned 10 [0092.831] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="arguedshavedtimber.exe")) returned 1 [0092.838] lstrlenW (lpString="arguedshavedtimber.exe") returned 22 [0092.838] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="maybefdsamba.exe")) returned 1 [0092.839] lstrlenW (lpString="maybefdsamba.exe") returned 16 [0092.839] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x798, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="lap.exe")) returned 1 [0092.839] lstrlenW (lpString="lap.exe") returned 7 [0092.840] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aspect-reserves-snapshot.exe")) returned 1 [0092.845] lstrlenW (lpString="aspect-reserves-snapshot.exe") returned 28 [0092.845] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x308, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="clerk journalism ncaa.exe")) returned 1 [0092.850] lstrlenW (lpString="clerk journalism ncaa.exe") returned 25 [0092.850] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="authentication-uh-mile.exe")) returned 1 [0092.858] lstrlenW (lpString="authentication-uh-mile.exe") returned 26 [0092.858] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="completion.exe")) returned 1 [0092.859] lstrlenW (lpString="completion.exe") returned 14 [0092.859] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="independently.exe")) returned 1 [0092.860] lstrlenW (lpString="independently.exe") returned 17 [0092.860] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mel_kinase.exe")) returned 1 [0092.860] lstrlenW (lpString="mel_kinase.exe") returned 14 [0092.860] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="infectious incomplete.exe")) returned 1 [0092.861] lstrlenW (lpString="infectious incomplete.exe") returned 25 [0092.861] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accountability-transparent.exe")) returned 1 [0092.862] lstrlenW (lpString="accountability-transparent.exe") returned 30 [0092.862] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0092.862] lstrlenW (lpString="3dftp.exe") returned 9 [0092.862] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0092.863] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0092.863] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0092.864] lstrlenW (lpString="alftp.exe") returned 9 [0092.864] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0092.864] lstrlenW (lpString="barca.exe") returned 9 [0092.864] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0092.865] lstrlenW (lpString="bitkinex.exe") returned 12 [0092.865] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0092.866] lstrlenW (lpString="coreftp.exe") returned 11 [0092.866] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0092.866] lstrlenW (lpString="far.exe") returned 7 [0092.866] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0092.867] lstrlenW (lpString="filezilla.exe") returned 13 [0092.867] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0092.868] lstrlenW (lpString="flashfxp.exe") returned 12 [0092.868] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0092.868] lstrlenW (lpString="fling.exe") returned 9 [0092.868] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0092.869] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0092.869] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0092.870] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0092.870] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0092.870] lstrlenW (lpString="icq.exe") returned 7 [0092.870] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0092.871] lstrlenW (lpString="leechftp.exe") returned 12 [0092.871] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0092.872] lstrlenW (lpString="ncftp.exe") returned 9 [0092.872] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x674, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0092.873] lstrlenW (lpString="notepad.exe") returned 11 [0092.873] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0092.875] lstrlenW (lpString="operamail.exe") returned 13 [0092.875] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0092.876] lstrlenW (lpString="pidgin.exe") returned 10 [0092.876] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0092.877] lstrlenW (lpString="scriptftp.exe") returned 13 [0092.877] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0092.878] lstrlenW (lpString="skype.exe") returned 9 [0092.878] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x85c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0092.879] lstrlenW (lpString="smartftp.exe") returned 12 [0092.879] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0092.880] lstrlenW (lpString="thunderbird.exe") returned 15 [0092.880] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0092.881] lstrlenW (lpString="totalcmd.exe") returned 12 [0092.881] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0092.882] lstrlenW (lpString="trillian.exe") returned 12 [0092.882] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0092.883] lstrlenW (lpString="webdrive.exe") returned 12 [0092.883] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0092.884] lstrlenW (lpString="whatsapp.exe") returned 12 [0092.884] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0092.885] lstrlenW (lpString="winscp.exe") returned 10 [0092.885] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0092.886] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0092.886] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0092.887] lstrlenW (lpString="active-charge.exe") returned 17 [0092.887] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0092.888] lstrlenW (lpString="accupos.exe") returned 11 [0092.888] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0092.889] lstrlenW (lpString="afr38.exe") returned 9 [0092.889] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0093.235] lstrlenW (lpString="aldelo.exe") returned 10 [0093.236] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0093.237] lstrlenW (lpString="ccv_server.exe") returned 14 [0093.237] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0093.237] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0093.238] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0093.238] lstrlenW (lpString="creditservice.exe") returned 17 [0093.238] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0093.239] lstrlenW (lpString="edcsvr.exe") returned 10 [0093.239] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0093.240] lstrlenW (lpString="fpos.exe") returned 8 [0093.240] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0093.241] lstrlenW (lpString="isspos.exe") returned 10 [0093.241] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0093.242] lstrlenW (lpString="mxslipstream.exe") returned 16 [0093.242] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0093.243] lstrlenW (lpString="omnipos.exe") returned 11 [0093.243] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0093.244] lstrlenW (lpString="spcwin.exe") returned 10 [0093.244] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0093.245] lstrlenW (lpString="spgagentservice.exe") returned 19 [0093.245] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0093.245] lstrlenW (lpString="utg2.exe") returned 8 [0093.246] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="forced-british.exe")) returned 1 [0093.246] lstrlenW (lpString="forced-british.exe") returned 18 [0093.246] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="loaded twins prevent.exe")) returned 1 [0093.247] lstrlenW (lpString="loaded twins prevent.exe") returned 24 [0093.247] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="xnxx-face-theology.exe")) returned 1 [0093.260] lstrlenW (lpString="xnxx-face-theology.exe") returned 22 [0093.260] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="economic tgp operational.exe")) returned 1 [0093.261] lstrlenW (lpString="economic tgp operational.exe") returned 28 [0093.261] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kenya.exe")) returned 1 [0093.261] lstrlenW (lpString="kenya.exe") returned 9 [0093.261] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0093.262] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0093.262] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0093.263] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0093.263] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0093.265] lstrlenW (lpString="taskhost.exe") returned 12 [0093.265] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="dmyurb.exe")) returned 1 [0093.265] lstrlenW (lpString="dmyurb.exe") returned 10 [0093.265] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xb04, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0093.266] lstrlenW (lpString="cmd.exe") returned 7 [0093.266] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.267] lstrlenW (lpString="conhost.exe") returned 11 [0093.267] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x304, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0093.268] lstrlenW (lpString="vssadmin.exe") returned 12 [0093.268] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0093.268] lstrlenW (lpString="VSSVC.exe") returned 9 [0093.269] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.269] lstrlenW (lpString="svchost.exe") returned 11 [0093.269] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.270] lstrlenW (lpString="svchost.exe") returned 11 [0093.270] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0093.271] lstrlenW (lpString="LogonUI.exe") returned 11 [0093.271] Process32NextW (in: hSnapshot=0x1d8, lppe=0x215fd34 | out: lppe=0x215fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1ac, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0093.271] CloseHandle (hObject=0x1d8) returned 1 [0093.271] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0x7ec [0062.884] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0062.884] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x274a30 | out: hHeap=0x240000) returned 1 Thread: id = 6 os_tid = 0x7e4 [0062.885] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x274a30 [0062.885] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x274a30, Size=0x20) returned 0x2759f8 [0062.885] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x2759f8, Size=0x40) returned 0x276b10 [0062.885] GetLogicalDrives () returned 0x4 [0062.885] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x2bd448 [0062.886] GetComputerNameW (in: lpBuffer=0x2bd44c, nSize=0x235ff6c | out: lpBuffer="XDUWTFONO", nSize=0x235ff6c) returned 1 [0062.886] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1000) returned 0x28b448 [0062.887] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x235ff3c | out: lphEnum=0x235ff3c*=0x276020) returned 0x0 [0062.887] WNetEnumResourceW (in: hEnum=0x276020, lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40 | out: lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40) returned 0x103 [0062.887] WNetCloseEnum (hEnum=0x276020) returned 0x0 [0062.887] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x235ff3c | out: lphEnum=0x235ff3c*=0x2cd450) returned 0x0 [0066.682] WNetEnumResourceW (in: hEnum=0x2cd450, lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40 | out: lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40) returned 0x0 [0066.682] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1000) returned 0x2cdbe8 [0066.682] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x28b448, lphEnum=0x235ff10 | out: lphEnum=0x235ff10*=0x2762c0) returned 0x0 [0066.766] WNetEnumResourceW (in: hEnum=0x2762c0, lpcCount=0x235ff0c, lpBuffer=0x2cdbe8, lpBufferSize=0x235ff14 | out: lpcCount=0x235ff0c, lpBuffer=0x2cdbe8, lpBufferSize=0x235ff14) returned 0x103 [0066.766] WNetCloseEnum (hEnum=0x2762c0) returned 0x0 [0066.766] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1000) returned 0x2e6c30 [0066.766] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x28b468, lphEnum=0x235ff10 | out: lphEnum=0x235ff10*=0x0) returned 0x4b8 [0086.699] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x1000) returned 0x4051810 [0086.699] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x28b488, lphEnum=0x235ff10 | out: lphEnum=0x235ff10*=0x0) returned 0x4c6 [0086.784] WNetEnumResourceW (in: hEnum=0x2cd450, lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40 | out: lpcCount=0x235ff38, lpBuffer=0x28b448, lpBufferSize=0x235ff40) returned 0x103 [0086.784] WNetCloseEnum (hEnum=0x2cd450) returned 0x0 [0086.784] GetLogicalDrives () returned 0x4 [0086.784] Sleep (dwMilliseconds=0x64) [0087.155] GetLogicalDrives () returned 0x4 [0087.155] Sleep (dwMilliseconds=0x64) [0087.577] GetLogicalDrives () returned 0x4 [0087.577] Sleep (dwMilliseconds=0x64) [0088.063] GetLogicalDrives () returned 0x4 [0088.063] Sleep (dwMilliseconds=0x64) [0088.213] GetLogicalDrives () returned 0x4 [0088.213] Sleep (dwMilliseconds=0x64) [0088.319] GetLogicalDrives () returned 0x4 [0088.319] Sleep (dwMilliseconds=0x64) [0088.428] GetLogicalDrives () returned 0x4 [0088.428] Sleep (dwMilliseconds=0x64) [0088.537] GetLogicalDrives () returned 0x4 [0088.537] Sleep (dwMilliseconds=0x64) [0088.647] GetLogicalDrives () returned 0x4 [0088.647] Sleep (dwMilliseconds=0x64) [0088.772] GetLogicalDrives () returned 0x4 [0088.772] Sleep (dwMilliseconds=0x64) [0088.881] GetLogicalDrives () returned 0x4 [0088.881] Sleep (dwMilliseconds=0x64) [0089.071] GetLogicalDrives () returned 0x4 [0089.071] Sleep (dwMilliseconds=0x64) [0089.607] GetLogicalDrives () returned 0x4 [0089.607] Sleep (dwMilliseconds=0x64) [0090.136] GetLogicalDrives () returned 0x4 [0090.136] Sleep (dwMilliseconds=0x64) [0090.455] GetLogicalDrives () returned 0x4 [0090.455] Sleep (dwMilliseconds=0x64) [0092.199] GetLogicalDrives () returned 0x4 [0092.203] Sleep (dwMilliseconds=0x64) [0092.749] GetLogicalDrives () returned 0x4 [0092.749] Sleep (dwMilliseconds=0x64) [0093.116] GetLogicalDrives () returned 0x4 [0093.116] Sleep (dwMilliseconds=0x64) Thread: id = 8 os_tid = 0x51c [0066.754] GetTickCount () returned 0x1148814 [0066.754] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x24) returned 0x2cef40 [0066.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2cef40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0066.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2cef40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0066.757] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2cef40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0066.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2cef40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0066.760] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c10 [0066.760] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c10, Size=0x20) returned 0x2df420 [0066.760] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c10 [0066.760] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c10, Size=0x20) returned 0x2df448 [0066.761] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.761] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.761] Wow64DisableWow64FsRedirection (in: OldValue=0x225ff84 | out: OldValue=0x225ff84*=0x0) returned 1 [0066.761] lstrlenW (lpString="kernel32.dll") returned 12 [0066.761] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df420 | out: hHeap=0x240000) returned 1 [0066.761] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.761] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df448 | out: hHeap=0x240000) returned 1 [0066.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x27b428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0066.763] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0066.964] GetTickCount () returned 0x11488a1 [0066.964] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.384] GetTickCount () returned 0x114894c [0067.384] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.524] GetTickCount () returned 0x11489c9 [0067.524] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0067.880] GetTickCount () returned 0x1148b01 [0067.880] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.292] GetTickCount () returned 0x1148cc5 [0069.292] GetTickCount () returned 0x1148cc5 [0069.292] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.609] GetTickCount () returned 0x1148dfd [0069.609] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.790] GetTickCount () returned 0x1148eb9 [0069.790] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0069.895] GetTickCount () returned 0x1148f26 [0069.895] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.006] GetTickCount () returned 0x1148f93 [0070.006] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.129] GetTickCount () returned 0x1149010 [0070.129] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.299] GetTickCount () returned 0x11490ac [0070.299] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.441] GetTickCount () returned 0x1149148 [0070.442] GetTickCount () returned 0x1149148 [0070.442] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.563] GetTickCount () returned 0x11491b5 [0070.563] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0070.659] GetTickCount () returned 0x1149222 [0070.659] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0071.040] GetTickCount () returned 0x1149399 [0071.040] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0071.440] GetTickCount () returned 0x114952e [0071.440] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0071.787] GetTickCount () returned 0x1149686 [0071.787] GetTickCount () returned 0x1149686 [0071.787] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0072.065] GetTickCount () returned 0x114979e [0072.065] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0072.286] GetTickCount () returned 0x1149879 [0072.286] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0072.553] GetTickCount () returned 0x1149944 [0072.553] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0073.015] GetTickCount () returned 0x1149b08 [0073.015] GetTickCount () returned 0x1149b18 [0073.015] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0073.282] GetTickCount () returned 0x1149c21 [0073.282] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0073.843] GetTickCount () returned 0x1149e14 [0073.843] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0074.411] GetTickCount () returned 0x1149ff8 [0074.411] GetTickCount () returned 0x1149ff8 [0074.411] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0074.654] GetTickCount () returned 0x114a0d2 [0074.654] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0074.772] GetTickCount () returned 0x114a13f [0074.772] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0075.580] GetTickCount () returned 0x114a2a6 [0075.580] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0075.934] GetTickCount () returned 0x114a40d [0075.934] GetTickCount () returned 0x114a40d [0075.934] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0076.122] GetTickCount () returned 0x114a4c8 [0076.122] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0077.730] GetTickCount () returned 0x114a5d1 [0077.730] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0078.211] GetTickCount () returned 0x114a776 [0078.211] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0078.583] GetTickCount () returned 0x114a8ce [0078.583] GetTickCount () returned 0x114a8ce [0078.583] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0079.084] GetTickCount () returned 0x114aad0 [0079.084] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0079.480] GetTickCount () returned 0x114ac18 [0079.480] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0079.988] GetTickCount () returned 0x114ae1b [0079.989] GetTickCount () returned 0x114ae1b [0079.989] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0080.470] GetTickCount () returned 0x114afef [0080.470] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0080.834] GetTickCount () returned 0x114b165 [0080.834] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0081.154] GetTickCount () returned 0x114b25f [0081.154] GetTickCount () returned 0x114b25f [0081.154] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0081.604] GetTickCount () returned 0x114b414 [0081.604] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0081.831] GetTickCount () returned 0x114b4fe [0081.831] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0081.993] GetTickCount () returned 0x114b56b [0081.993] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0082.153] GetTickCount () returned 0x114b5d8 [0082.153] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0082.263] GetTickCount () returned 0x114b645 [0082.263] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0082.360] GetTickCount () returned 0x114b6b2 [0082.360] GetTickCount () returned 0x114b6b2 [0082.360] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0082.596] GetTickCount () returned 0x114b79c [0082.596] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0082.794] GetTickCount () returned 0x114b858 [0082.794] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0083.484] GetTickCount () returned 0x114bb16 [0083.484] GetTickCount () returned 0x114bb16 [0083.484] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0083.878] GetTickCount () returned 0x114bc9c [0083.878] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0084.210] GetTickCount () returned 0x114bde3 [0084.210] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0085.240] GetTickCount () returned 0x114c1e9 [0085.240] GetTickCount () returned 0x114c1e9 [0085.240] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0085.480] GetTickCount () returned 0x114c2e2 [0085.480] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0085.761] GetTickCount () returned 0x114c3fb [0085.761] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0086.030] GetTickCount () returned 0x114c504 [0086.030] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0086.418] GetTickCount () returned 0x114c68a [0086.418] GetTickCount () returned 0x114c68a [0086.418] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0086.921] GetTickCount () returned 0x114c87e [0086.921] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0087.215] GetTickCount () returned 0x114c9a6 [0087.215] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0087.578] GetTickCount () returned 0x114cb0d [0087.578] GetTickCount () returned 0x114cb0d [0087.578] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.063] GetTickCount () returned 0x114ccf0 [0088.063] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.213] GetTickCount () returned 0x114cd8c [0088.213] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.319] GetTickCount () returned 0x114cdfa [0088.319] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.428] GetTickCount () returned 0x114ce67 [0088.428] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.537] GetTickCount () returned 0x114ced4 [0088.537] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.647] GetTickCount () returned 0x114cf41 [0088.647] GetTickCount () returned 0x114cf41 [0088.648] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.771] GetTickCount () returned 0x114cfbe [0088.771] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0088.881] GetTickCount () returned 0x114d02b [0088.881] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0089.072] GetTickCount () returned 0x114d0e6 [0089.072] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0089.606] GetTickCount () returned 0x114d2f9 [0089.606] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0090.136] GetTickCount () returned 0x114d50b [0090.136] GetTickCount () returned 0x114d50b [0090.136] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0090.455] GetTickCount () returned 0x114d643 [0090.455] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0092.177] GetTickCount () returned 0x114dd07 [0092.177] GetTickCount () returned 0x114dd07 [0092.177] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0092.748] GetTickCount () returned 0x114df38 [0092.749] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0093.115] GetTickCount () returned 0x114e0af [0093.115] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) Thread: id = 9 os_tid = 0x568 [0066.894] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x29d438 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x2ad440 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298bc8 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x27a0a8 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298be0 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x2ea0020 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298bb0 [0066.895] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298bb0, Size=0x20) returned 0x2df3a8 [0066.895] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298bb0 [0066.895] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298bb0, Size=0x20) returned 0x2df448 [0066.895] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.895] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.895] Wow64DisableWow64FsRedirection (in: OldValue=0x299ff58 | out: OldValue=0x299ff58*=0x0) returned 1 [0066.896] lstrlenW (lpString="kernel32.dll") returned 12 [0066.896] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df3a8 | out: hHeap=0x240000) returned 1 [0066.896] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.896] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df448 | out: hHeap=0x240000) returned 1 [0066.896] Sleep (dwMilliseconds=0x64) [0067.021] lstrcmpiW (lpString1=".ini", lpString2=".mnbzr") returned -1 [0067.021] lstrlenW (lpString="desktop.ini") returned 11 [0067.021] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.021] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=129) returned 1 [0067.021] CloseHandle (hObject=0x188) returned 1 [0067.021] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0067.021] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.022] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.022] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.022] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.022] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0067.022] GetLastError () returned 0x0 [0067.023] ReadFile (in: hFile=0x188, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x81, lpOverlapped=0x0) returned 1 [0067.039] WriteFile (in: hFile=0x18c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x90, lpOverlapped=0x0) returned 1 [0067.041] ReadFile (in: hFile=0x188, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.041] WriteFile (in: hFile=0x18c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.041] SetEndOfFile (hFile=0x18c) returned 1 [0067.042] CloseHandle (hObject=0x18c) returned 1 [0067.044] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.044] SetEndOfFile (hFile=0x188) returned 1 [0067.046] CloseHandle (hObject=0x188) returned 1 [0067.046] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x26) returned 1 [0067.046] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0067.046] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.046] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.046] lstrlenW (lpString=".doc") returned 4 [0067.046] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0067.046] lstrlenW (lpString=".docx") returned 5 [0067.046] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0067.046] lstrlenW (lpString=".pdf") returned 4 [0067.046] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0067.046] lstrlenW (lpString=".xls") returned 4 [0067.047] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0067.047] lstrlenW (lpString=".xlsx") returned 5 [0067.047] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0067.047] lstrlenW (lpString=".ppt") returned 4 [0067.047] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString=".zip") returned 4 [0067.047] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0067.047] lstrlenW (lpString=".rar") returned 4 [0067.047] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0067.047] lstrlenW (lpString=".bz2") returned 4 [0067.047] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0067.047] lstrlenW (lpString=".7z") returned 3 [0067.047] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString=".dbf") returned 4 [0067.047] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString=".1cd") returned 4 [0067.047] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString=".jpg") returned 4 [0067.047] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.047] lstrlenW (lpString=".doc") returned 4 [0067.047] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0067.047] lstrlenW (lpString=".docx") returned 5 [0067.047] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0067.047] lstrlenW (lpString=".pdf") returned 4 [0067.047] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0067.048] lstrlenW (lpString=".xls") returned 4 [0067.048] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0067.048] lstrlenW (lpString=".xlsx") returned 5 [0067.048] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0067.048] lstrlenW (lpString=".ppt") returned 4 [0067.048] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0067.048] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.048] lstrlenW (lpString=".zip") returned 4 [0067.048] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0067.048] lstrlenW (lpString=".rar") returned 4 [0067.048] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0067.048] lstrlenW (lpString=".bz2") returned 4 [0067.048] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0067.048] lstrlenW (lpString=".7z") returned 3 [0067.048] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0067.048] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.048] lstrlenW (lpString=".dbf") returned 4 [0067.048] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0067.048] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.048] lstrlenW (lpString=".1cd") returned 4 [0067.048] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0067.048] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0067.048] lstrlenW (lpString=".jpg") returned 4 [0067.048] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0067.048] lstrcmpiW (lpString1=".LOG", lpString2=".mnbzr") returned -1 [0067.048] lstrlenW (lpString="BCD.LOG") returned 7 [0067.048] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.049] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.049] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.049] lstrlenW (lpString=".doc") returned 4 [0067.049] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0067.049] lstrlenW (lpString=".docx") returned 5 [0067.049] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0067.049] lstrlenW (lpString=".pdf") returned 4 [0067.049] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0067.049] lstrlenW (lpString=".xls") returned 4 [0067.049] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0067.049] lstrlenW (lpString=".xlsx") returned 5 [0067.049] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0067.049] lstrlenW (lpString=".ppt") returned 4 [0067.049] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0067.049] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.049] lstrlenW (lpString=".zip") returned 4 [0067.049] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0067.049] lstrlenW (lpString=".rar") returned 4 [0067.049] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0067.049] lstrlenW (lpString=".bz2") returned 4 [0067.049] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0067.049] lstrlenW (lpString=".7z") returned 3 [0067.049] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0067.049] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.049] lstrlenW (lpString=".dbf") returned 4 [0067.049] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0067.049] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.049] lstrlenW (lpString=".1cd") returned 4 [0067.049] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0067.050] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.050] lstrlenW (lpString=".jpg") returned 4 [0067.050] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0067.050] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.050] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.050] lstrlenW (lpString=".doc") returned 4 [0067.050] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0067.050] lstrlenW (lpString=".docx") returned 5 [0067.050] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0067.050] lstrlenW (lpString=".pdf") returned 4 [0067.050] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0067.050] lstrlenW (lpString=".xls") returned 4 [0067.050] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0067.050] lstrlenW (lpString=".xlsx") returned 5 [0067.050] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0067.050] lstrlenW (lpString=".ppt") returned 4 [0067.050] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0067.050] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.050] lstrlenW (lpString=".zip") returned 4 [0067.050] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0067.050] lstrlenW (lpString=".rar") returned 4 [0067.050] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0067.050] lstrlenW (lpString=".bz2") returned 4 [0067.050] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0067.050] lstrlenW (lpString=".7z") returned 3 [0067.050] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0067.050] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.051] lstrlenW (lpString=".dbf") returned 4 [0067.051] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0067.051] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.051] lstrlenW (lpString=".1cd") returned 4 [0067.051] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0067.051] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0067.051] lstrlenW (lpString=".jpg") returned 4 [0067.051] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0067.051] lstrcmpiW (lpString1=".DAT", lpString2=".mnbzr") returned -1 [0067.051] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0067.051] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.336] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=65536) returned 1 [0067.336] CloseHandle (hObject=0x188) returned 1 [0067.336] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0067.336] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.336] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0067.336] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.336] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.336] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0067.337] GetLastError () returned 0x0 [0067.337] ReadFile (in: hFile=0x188, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x10000, lpOverlapped=0x0) returned 1 [0067.340] WriteFile (in: hFile=0x18c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0067.342] ReadFile (in: hFile=0x188, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.342] WriteFile (in: hFile=0x18c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.343] SetEndOfFile (hFile=0x18c) returned 1 [0067.343] CloseHandle (hObject=0x18c) returned 1 [0067.344] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.344] SetEndOfFile (hFile=0x188) returned 1 [0067.346] CloseHandle (hObject=0x188) returned 1 [0067.346] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x26) returned 1 [0067.347] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0067.347] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.347] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.347] lstrlenW (lpString=".doc") returned 4 [0067.347] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0067.347] lstrlenW (lpString=".docx") returned 5 [0067.347] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0067.347] lstrlenW (lpString=".pdf") returned 4 [0067.347] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0067.347] lstrlenW (lpString=".xls") returned 4 [0067.347] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0067.347] lstrlenW (lpString=".xlsx") returned 5 [0067.347] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0067.347] lstrlenW (lpString=".ppt") returned 4 [0067.347] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0067.347] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.347] lstrlenW (lpString=".zip") returned 4 [0067.347] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0067.347] lstrlenW (lpString=".rar") returned 4 [0067.347] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString=".bz2") returned 4 [0067.348] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0067.348] lstrlenW (lpString=".7z") returned 3 [0067.348] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0067.348] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.348] lstrlenW (lpString=".dbf") returned 4 [0067.348] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.348] lstrlenW (lpString=".1cd") returned 4 [0067.348] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0067.348] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.348] lstrlenW (lpString=".jpg") returned 4 [0067.348] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.348] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.348] lstrlenW (lpString=".doc") returned 4 [0067.348] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString=".docx") returned 5 [0067.348] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0067.348] lstrlenW (lpString=".pdf") returned 4 [0067.348] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString=".xls") returned 4 [0067.348] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0067.348] lstrlenW (lpString=".xlsx") returned 5 [0067.349] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0067.349] lstrlenW (lpString=".ppt") returned 4 [0067.349] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0067.349] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.349] lstrlenW (lpString=".zip") returned 4 [0067.349] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0067.349] lstrlenW (lpString=".rar") returned 4 [0067.349] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0067.349] lstrlenW (lpString=".bz2") returned 4 [0067.349] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0067.349] lstrlenW (lpString=".7z") returned 3 [0067.349] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0067.349] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.349] lstrlenW (lpString=".dbf") returned 4 [0067.349] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0067.349] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.349] lstrlenW (lpString=".1cd") returned 4 [0067.349] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0067.349] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0067.349] lstrlenW (lpString=".jpg") returned 4 [0067.349] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0067.349] Sleep (dwMilliseconds=0x64) [0067.447] Sleep (dwMilliseconds=0x64) [0067.555] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.555] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0067.555] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.558] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1450) returned 1 [0067.558] CloseHandle (hObject=0x1ac) returned 1 [0067.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0067.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.558] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.558] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0067.558] GetLastError () returned 0x0 [0067.558] ReadFile (in: hFile=0x1ac, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0067.561] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0067.562] ReadFile (in: hFile=0x1ac, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.562] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0067.562] SetEndOfFile (hFile=0x1b4) returned 1 [0067.562] CloseHandle (hObject=0x1b4) returned 1 [0067.563] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.563] SetEndOfFile (hFile=0x1ac) returned 1 [0067.564] CloseHandle (hObject=0x1ac) returned 1 [0067.564] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.564] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0067.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.565] lstrlenW (lpString=".doc") returned 4 [0067.565] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString=".docx") returned 5 [0067.565] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.565] lstrlenW (lpString=".pdf") returned 4 [0067.565] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString=".xls") returned 4 [0067.565] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString=".xlsx") returned 5 [0067.565] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.565] lstrlenW (lpString=".ppt") returned 4 [0067.565] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.565] lstrlenW (lpString=".zip") returned 4 [0067.565] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.565] lstrlenW (lpString=".rar") returned 4 [0067.565] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString=".bz2") returned 4 [0067.565] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString=".7z") returned 3 [0067.565] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.565] lstrlenW (lpString=".dbf") returned 4 [0067.565] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString=".1cd") returned 4 [0067.566] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString=".jpg") returned 4 [0067.566] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString=".doc") returned 4 [0067.566] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString=".docx") returned 5 [0067.566] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.566] lstrlenW (lpString=".pdf") returned 4 [0067.566] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString=".xls") returned 4 [0067.566] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString=".xlsx") returned 5 [0067.566] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.566] lstrlenW (lpString=".ppt") returned 4 [0067.566] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString=".zip") returned 4 [0067.566] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.566] lstrlenW (lpString=".rar") returned 4 [0067.566] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString=".bz2") returned 4 [0067.566] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString=".7z") returned 3 [0067.566] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.566] lstrlenW (lpString=".dbf") returned 4 [0067.566] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.567] lstrlenW (lpString=".1cd") returned 4 [0067.567] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0067.567] lstrlenW (lpString=".jpg") returned 4 [0067.567] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.567] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.567] lstrlenW (lpString="Setup.xml") returned 9 [0067.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.567] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1886) returned 1 [0067.567] CloseHandle (hObject=0x1ac) returned 1 [0067.567] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.567] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.567] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.568] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.568] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0067.568] GetLastError () returned 0x0 [0067.568] ReadFile (in: hFile=0x1ac, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x75e, lpOverlapped=0x0) returned 1 [0067.578] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x760, lpOverlapped=0x0) returned 1 [0067.579] ReadFile (in: hFile=0x1ac, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.579] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.579] SetEndOfFile (hFile=0x1b4) returned 1 [0067.579] CloseHandle (hObject=0x1b4) returned 1 [0067.580] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.580] SetEndOfFile (hFile=0x1ac) returned 1 [0067.581] CloseHandle (hObject=0x1ac) returned 1 [0067.581] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.581] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0067.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.581] lstrlenW (lpString=".doc") returned 4 [0067.581] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.581] lstrlenW (lpString=".docx") returned 5 [0067.581] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.581] lstrlenW (lpString=".pdf") returned 4 [0067.581] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.581] lstrlenW (lpString=".xls") returned 4 [0067.582] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString=".xlsx") returned 5 [0067.582] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.582] lstrlenW (lpString=".ppt") returned 4 [0067.582] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString=".zip") returned 4 [0067.582] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.582] lstrlenW (lpString=".rar") returned 4 [0067.582] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString=".bz2") returned 4 [0067.582] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString=".7z") returned 3 [0067.582] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString=".dbf") returned 4 [0067.582] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString=".1cd") returned 4 [0067.582] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString=".jpg") returned 4 [0067.582] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.582] lstrlenW (lpString=".doc") returned 4 [0067.582] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString=".docx") returned 5 [0067.582] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.582] lstrlenW (lpString=".pdf") returned 4 [0067.582] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.582] lstrlenW (lpString=".xls") returned 4 [0067.582] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString=".xlsx") returned 5 [0067.583] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.583] lstrlenW (lpString=".ppt") returned 4 [0067.583] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.583] lstrlenW (lpString=".zip") returned 4 [0067.583] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.583] lstrlenW (lpString=".rar") returned 4 [0067.583] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString=".bz2") returned 4 [0067.583] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString=".7z") returned 3 [0067.583] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.583] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.583] lstrlenW (lpString=".dbf") returned 4 [0067.583] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.583] lstrlenW (lpString=".1cd") returned 4 [0067.583] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.583] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.583] lstrlenW (lpString=".jpg") returned 4 [0067.583] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.583] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.583] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0067.583] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.779] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1450) returned 1 [0067.779] CloseHandle (hObject=0x1bc) returned 1 [0067.779] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0067.779] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.789] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.789] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.789] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.789] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0067.790] GetLastError () returned 0x0 [0067.790] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0067.792] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0067.793] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.793] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0067.793] SetEndOfFile (hFile=0x1c4) returned 1 [0067.793] CloseHandle (hObject=0x1c4) returned 1 [0067.794] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.794] SetEndOfFile (hFile=0x1bc) returned 1 [0067.795] CloseHandle (hObject=0x1bc) returned 1 [0067.795] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.795] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString=".doc") returned 4 [0067.796] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString=".docx") returned 5 [0067.796] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.796] lstrlenW (lpString=".pdf") returned 4 [0067.796] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString=".xls") returned 4 [0067.796] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString=".xlsx") returned 5 [0067.796] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.796] lstrlenW (lpString=".ppt") returned 4 [0067.796] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString=".zip") returned 4 [0067.796] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.796] lstrlenW (lpString=".rar") returned 4 [0067.796] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString=".bz2") returned 4 [0067.796] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString=".7z") returned 3 [0067.796] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString=".dbf") returned 4 [0067.796] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString=".1cd") returned 4 [0067.796] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.796] lstrlenW (lpString=".jpg") returned 4 [0067.796] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.796] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString=".doc") returned 4 [0067.797] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString=".docx") returned 5 [0067.797] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.797] lstrlenW (lpString=".pdf") returned 4 [0067.797] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString=".xls") returned 4 [0067.797] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString=".xlsx") returned 5 [0067.797] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.797] lstrlenW (lpString=".ppt") returned 4 [0067.797] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString=".zip") returned 4 [0067.797] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.797] lstrlenW (lpString=".rar") returned 4 [0067.797] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString=".bz2") returned 4 [0067.797] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString=".7z") returned 3 [0067.797] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.797] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString=".dbf") returned 4 [0067.797] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString=".1cd") returned 4 [0067.797] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.797] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0067.797] lstrlenW (lpString=".jpg") returned 4 [0067.797] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.798] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.798] lstrlenW (lpString="Proof.xml") returned 9 [0067.798] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.799] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1347) returned 1 [0067.799] CloseHandle (hObject=0x1bc) returned 1 [0067.799] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0067.799] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.799] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.799] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.799] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.799] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0067.799] GetLastError () returned 0x0 [0067.799] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x543, lpOverlapped=0x0) returned 1 [0067.801] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x550, lpOverlapped=0x0) returned 1 [0067.803] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.803] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.803] SetEndOfFile (hFile=0x1c4) returned 1 [0067.803] CloseHandle (hObject=0x1c4) returned 1 [0067.805] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.805] SetEndOfFile (hFile=0x1bc) returned 1 [0067.806] CloseHandle (hObject=0x1bc) returned 1 [0067.806] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.807] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0067.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.807] lstrlenW (lpString=".doc") returned 4 [0067.807] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.807] lstrlenW (lpString=".docx") returned 5 [0067.807] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0067.807] lstrlenW (lpString=".pdf") returned 4 [0067.807] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.807] lstrlenW (lpString=".xls") returned 4 [0067.807] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.807] lstrlenW (lpString=".xlsx") returned 5 [0067.807] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0067.807] lstrlenW (lpString=".ppt") returned 4 [0067.807] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.807] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString=".zip") returned 4 [0067.808] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.808] lstrlenW (lpString=".rar") returned 4 [0067.808] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString=".bz2") returned 4 [0067.808] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString=".7z") returned 3 [0067.808] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString=".dbf") returned 4 [0067.808] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString=".1cd") returned 4 [0067.808] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString=".jpg") returned 4 [0067.808] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.808] lstrlenW (lpString=".doc") returned 4 [0067.808] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.808] lstrlenW (lpString=".docx") returned 5 [0067.808] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0067.808] lstrlenW (lpString=".pdf") returned 4 [0067.809] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString=".xls") returned 4 [0067.809] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString=".xlsx") returned 5 [0067.809] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0067.809] lstrlenW (lpString=".ppt") returned 4 [0067.809] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.809] lstrlenW (lpString=".zip") returned 4 [0067.809] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.809] lstrlenW (lpString=".rar") returned 4 [0067.809] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString=".bz2") returned 4 [0067.809] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString=".7z") returned 3 [0067.809] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.809] lstrlenW (lpString=".dbf") returned 4 [0067.809] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.809] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.809] lstrlenW (lpString=".1cd") returned 4 [0067.809] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0067.810] lstrlenW (lpString=".jpg") returned 4 [0067.810] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.810] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.810] lstrlenW (lpString="Proof.xml") returned 9 [0067.810] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.810] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1457) returned 1 [0067.810] CloseHandle (hObject=0x1bc) returned 1 [0067.810] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0067.810] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.811] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.811] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.811] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0067.811] GetLastError () returned 0x0 [0067.811] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0067.814] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0067.816] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.816] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.816] SetEndOfFile (hFile=0x1c4) returned 1 [0067.816] CloseHandle (hObject=0x1c4) returned 1 [0067.818] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.818] SetEndOfFile (hFile=0x1bc) returned 1 [0067.819] CloseHandle (hObject=0x1bc) returned 1 [0067.819] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.820] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0067.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.820] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.820] lstrlenW (lpString=".doc") returned 4 [0067.820] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString=".docx") returned 5 [0067.821] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0067.821] lstrlenW (lpString=".pdf") returned 4 [0067.821] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString=".xls") returned 4 [0067.821] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString=".xlsx") returned 5 [0067.821] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0067.821] lstrlenW (lpString=".ppt") returned 4 [0067.821] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.821] lstrlenW (lpString=".zip") returned 4 [0067.821] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.821] lstrlenW (lpString=".rar") returned 4 [0067.821] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString=".bz2") returned 4 [0067.821] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString=".7z") returned 3 [0067.821] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.821] lstrlenW (lpString=".dbf") returned 4 [0067.821] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.821] lstrlenW (lpString=".1cd") returned 4 [0067.821] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.822] lstrlenW (lpString=".jpg") returned 4 [0067.822] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.822] lstrlenW (lpString=".doc") returned 4 [0067.822] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString=".docx") returned 5 [0067.822] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0067.822] lstrlenW (lpString=".pdf") returned 4 [0067.822] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString=".xls") returned 4 [0067.822] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString=".xlsx") returned 5 [0067.822] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0067.822] lstrlenW (lpString=".ppt") returned 4 [0067.822] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.822] lstrlenW (lpString=".zip") returned 4 [0067.822] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.822] lstrlenW (lpString=".rar") returned 4 [0067.822] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString=".bz2") returned 4 [0067.822] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.822] lstrlenW (lpString=".7z") returned 3 [0067.823] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.823] lstrlenW (lpString=".dbf") returned 4 [0067.823] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.823] lstrlenW (lpString=".1cd") returned 4 [0067.823] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0067.823] lstrlenW (lpString=".jpg") returned 4 [0067.823] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.823] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.823] lstrlenW (lpString="Proof.xml") returned 9 [0067.823] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.824] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1458) returned 1 [0067.824] CloseHandle (hObject=0x1bc) returned 1 [0067.824] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0067.824] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0067.824] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.824] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0067.825] GetLastError () returned 0x0 [0067.825] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0067.924] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0067.926] ReadFile (in: hFile=0x1bc, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.926] WriteFile (in: hFile=0x1c4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.926] SetEndOfFile (hFile=0x1c4) returned 1 [0067.926] CloseHandle (hObject=0x1c4) returned 1 [0067.927] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.927] SetEndOfFile (hFile=0x1bc) returned 1 [0067.928] CloseHandle (hObject=0x1bc) returned 1 [0067.928] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.075] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0068.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.075] lstrlenW (lpString=".doc") returned 4 [0068.075] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.075] lstrlenW (lpString=".docx") returned 5 [0068.075] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0068.075] lstrlenW (lpString=".pdf") returned 4 [0068.075] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.075] lstrlenW (lpString=".xls") returned 4 [0068.075] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.075] lstrlenW (lpString=".xlsx") returned 5 [0068.075] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0068.075] lstrlenW (lpString=".ppt") returned 4 [0068.075] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.075] lstrlenW (lpString=".zip") returned 4 [0068.076] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.076] lstrlenW (lpString=".rar") returned 4 [0068.076] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString=".bz2") returned 4 [0068.076] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString=".7z") returned 3 [0068.076] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.076] lstrlenW (lpString=".dbf") returned 4 [0068.076] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.076] lstrlenW (lpString=".1cd") returned 4 [0068.076] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.076] lstrlenW (lpString=".jpg") returned 4 [0068.076] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.076] lstrlenW (lpString=".doc") returned 4 [0068.076] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString=".docx") returned 5 [0068.076] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0068.076] lstrlenW (lpString=".pdf") returned 4 [0068.076] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.076] lstrlenW (lpString=".xls") returned 4 [0068.076] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString=".xlsx") returned 5 [0068.077] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0068.077] lstrlenW (lpString=".ppt") returned 4 [0068.077] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.077] lstrlenW (lpString=".zip") returned 4 [0068.077] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.077] lstrlenW (lpString=".rar") returned 4 [0068.077] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString=".bz2") returned 4 [0068.077] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString=".7z") returned 3 [0068.077] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.077] lstrlenW (lpString=".dbf") returned 4 [0068.077] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.077] lstrlenW (lpString=".1cd") returned 4 [0068.077] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0068.077] lstrlenW (lpString=".jpg") returned 4 [0068.077] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.077] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.078] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0068.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.079] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1231) returned 1 [0068.079] CloseHandle (hObject=0x1f4) returned 1 [0068.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0068.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.079] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.079] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.079] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.079] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.080] GetLastError () returned 0x0 [0068.080] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0068.141] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0068.143] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.143] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0068.143] SetEndOfFile (hFile=0x1f8) returned 1 [0068.143] CloseHandle (hObject=0x1f8) returned 1 [0068.148] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.149] SetEndOfFile (hFile=0x1f4) returned 1 [0068.149] CloseHandle (hObject=0x1f4) returned 1 [0068.150] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.150] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0068.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.150] lstrlenW (lpString=".doc") returned 4 [0068.150] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.150] lstrlenW (lpString=".docx") returned 5 [0068.150] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.150] lstrlenW (lpString=".pdf") returned 4 [0068.150] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.150] lstrlenW (lpString=".xls") returned 4 [0068.150] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.150] lstrlenW (lpString=".xlsx") returned 5 [0068.150] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.150] lstrlenW (lpString=".ppt") returned 4 [0068.151] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString=".zip") returned 4 [0068.151] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.151] lstrlenW (lpString=".rar") returned 4 [0068.151] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString=".bz2") returned 4 [0068.151] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString=".7z") returned 3 [0068.151] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString=".dbf") returned 4 [0068.151] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString=".1cd") returned 4 [0068.151] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString=".jpg") returned 4 [0068.151] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.151] lstrlenW (lpString=".doc") returned 4 [0068.151] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString=".docx") returned 5 [0068.151] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.151] lstrlenW (lpString=".pdf") returned 4 [0068.151] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString=".xls") returned 4 [0068.151] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString=".xlsx") returned 5 [0068.151] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.151] lstrlenW (lpString=".ppt") returned 4 [0068.151] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.152] lstrlenW (lpString=".zip") returned 4 [0068.152] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.152] lstrlenW (lpString=".rar") returned 4 [0068.152] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.152] lstrlenW (lpString=".bz2") returned 4 [0068.152] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.152] lstrlenW (lpString=".7z") returned 3 [0068.152] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.152] lstrlenW (lpString=".dbf") returned 4 [0068.152] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.152] lstrlenW (lpString=".1cd") returned 4 [0068.152] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0068.152] lstrlenW (lpString=".jpg") returned 4 [0068.152] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.152] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.152] lstrlenW (lpString="VisioMUI.xml") returned 12 [0068.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0068.184] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=9503) returned 1 [0068.184] CloseHandle (hObject=0x1b0) returned 1 [0068.184] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0068.184] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.194] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0068.194] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.194] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.202] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.202] GetLastError () returned 0x0 [0068.202] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x251f, lpOverlapped=0x0) returned 1 [0068.205] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.206] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0068.206] SetEndOfFile (hFile=0x1f4) returned 1 [0068.206] CloseHandle (hObject=0x1f4) returned 1 [0068.207] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.207] SetEndOfFile (hFile=0x1b0) returned 1 [0068.208] CloseHandle (hObject=0x1b0) returned 1 [0068.208] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.209] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0068.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.209] lstrlenW (lpString=".doc") returned 4 [0068.209] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString=".docx") returned 5 [0068.209] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.209] lstrlenW (lpString=".pdf") returned 4 [0068.209] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString=".xls") returned 4 [0068.209] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString=".xlsx") returned 5 [0068.209] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.209] lstrlenW (lpString=".ppt") returned 4 [0068.209] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.209] lstrlenW (lpString=".zip") returned 4 [0068.209] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.209] lstrlenW (lpString=".rar") returned 4 [0068.209] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString=".bz2") returned 4 [0068.209] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.209] lstrlenW (lpString=".7z") returned 3 [0068.209] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.209] lstrlenW (lpString=".dbf") returned 4 [0068.210] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.210] lstrlenW (lpString=".1cd") returned 4 [0068.210] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.210] lstrlenW (lpString=".jpg") returned 4 [0068.210] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.210] lstrlenW (lpString=".doc") returned 4 [0068.210] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString=".docx") returned 5 [0068.210] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.210] lstrlenW (lpString=".pdf") returned 4 [0068.210] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString=".xls") returned 4 [0068.210] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString=".xlsx") returned 5 [0068.210] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.210] lstrlenW (lpString=".ppt") returned 4 [0068.210] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.210] lstrlenW (lpString=".zip") returned 4 [0068.210] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.210] lstrlenW (lpString=".rar") returned 4 [0068.210] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString=".bz2") returned 4 [0068.210] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.210] lstrlenW (lpString=".7z") returned 3 [0068.210] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.211] lstrlenW (lpString=".dbf") returned 4 [0068.211] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.211] lstrlenW (lpString=".1cd") returned 4 [0068.211] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0068.211] lstrlenW (lpString=".jpg") returned 4 [0068.211] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.211] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.211] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0068.211] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.214] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1452) returned 1 [0068.214] CloseHandle (hObject=0x164) returned 1 [0068.214] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0068.214] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.214] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.214] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.214] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.214] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.214] GetLastError () returned 0x0 [0068.215] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0068.311] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0068.312] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.313] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0068.313] SetEndOfFile (hFile=0x1f8) returned 1 [0068.313] CloseHandle (hObject=0x1f8) returned 1 [0068.314] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.314] SetEndOfFile (hFile=0x164) returned 1 [0068.315] CloseHandle (hObject=0x164) returned 1 [0068.315] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.315] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0068.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.315] lstrlenW (lpString=".doc") returned 4 [0068.315] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.315] lstrlenW (lpString=".docx") returned 5 [0068.315] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.315] lstrlenW (lpString=".pdf") returned 4 [0068.315] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.315] lstrlenW (lpString=".xls") returned 4 [0068.315] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString=".xlsx") returned 5 [0068.316] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.316] lstrlenW (lpString=".ppt") returned 4 [0068.316] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString=".zip") returned 4 [0068.316] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.316] lstrlenW (lpString=".rar") returned 4 [0068.316] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString=".bz2") returned 4 [0068.316] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString=".7z") returned 3 [0068.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString=".dbf") returned 4 [0068.316] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString=".1cd") returned 4 [0068.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString=".jpg") returned 4 [0068.316] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.316] lstrlenW (lpString=".doc") returned 4 [0068.316] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString=".docx") returned 5 [0068.316] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.316] lstrlenW (lpString=".pdf") returned 4 [0068.316] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.316] lstrlenW (lpString=".xls") returned 4 [0068.316] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString=".xlsx") returned 5 [0068.317] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.317] lstrlenW (lpString=".ppt") returned 4 [0068.317] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.317] lstrlenW (lpString=".zip") returned 4 [0068.317] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.317] lstrlenW (lpString=".rar") returned 4 [0068.317] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString=".bz2") returned 4 [0068.317] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString=".7z") returned 3 [0068.317] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.317] lstrlenW (lpString=".dbf") returned 4 [0068.317] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.317] lstrlenW (lpString=".1cd") returned 4 [0068.317] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0068.317] lstrlenW (lpString=".jpg") returned 4 [0068.317] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.317] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.317] lstrlenW (lpString="Setup.xml") returned 9 [0068.317] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.318] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1872) returned 1 [0068.318] CloseHandle (hObject=0x164) returned 1 [0068.318] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0068.318] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.318] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.318] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.318] GetLastError () returned 0x0 [0068.318] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x750, lpOverlapped=0x0) returned 1 [0069.383] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x760, lpOverlapped=0x0) returned 1 [0069.385] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.385] WriteFile (in: hFile=0x1f8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0069.385] SetEndOfFile (hFile=0x1f8) returned 1 [0069.385] CloseHandle (hObject=0x1f8) returned 1 [0069.386] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.386] SetEndOfFile (hFile=0x164) returned 1 [0069.387] CloseHandle (hObject=0x164) returned 1 [0069.387] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.387] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0069.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.388] lstrlenW (lpString=".doc") returned 4 [0069.388] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString=".docx") returned 5 [0069.388] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.388] lstrlenW (lpString=".pdf") returned 4 [0069.388] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString=".xls") returned 4 [0069.388] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString=".xlsx") returned 5 [0069.388] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.388] lstrlenW (lpString=".ppt") returned 4 [0069.388] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.388] lstrlenW (lpString=".zip") returned 4 [0069.388] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.388] lstrlenW (lpString=".rar") returned 4 [0069.388] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString=".bz2") returned 4 [0069.388] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString=".7z") returned 3 [0069.388] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.388] lstrlenW (lpString=".dbf") returned 4 [0069.388] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.388] lstrlenW (lpString=".1cd") returned 4 [0069.389] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString=".jpg") returned 4 [0069.389] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString=".doc") returned 4 [0069.389] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString=".docx") returned 5 [0069.389] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.389] lstrlenW (lpString=".pdf") returned 4 [0069.389] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString=".xls") returned 4 [0069.389] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString=".xlsx") returned 5 [0069.389] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.389] lstrlenW (lpString=".ppt") returned 4 [0069.389] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString=".zip") returned 4 [0069.389] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.389] lstrlenW (lpString=".rar") returned 4 [0069.389] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString=".bz2") returned 4 [0069.389] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString=".7z") returned 3 [0069.389] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString=".dbf") returned 4 [0069.389] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.389] lstrlenW (lpString=".1cd") returned 4 [0069.390] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.390] lstrlenW (lpString=".jpg") returned 4 [0069.390] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.390] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.390] lstrlenW (lpString="branding.xml") returned 12 [0069.390] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0069.535] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=596341) returned 1 [0069.535] CloseHandle (hObject=0x164) returned 1 [0069.535] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0069.535] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.535] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0069.535] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.535] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.535] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0069.536] GetLastError () returned 0x0 [0069.536] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x91975, lpOverlapped=0x0) returned 1 [0070.361] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0070.378] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.380] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.381] SetEndOfFile (hFile=0x1e4) returned 1 [0070.381] CloseHandle (hObject=0x1e4) returned 1 [0070.395] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.395] SetEndOfFile (hFile=0x164) returned 1 [0070.470] CloseHandle (hObject=0x164) returned 1 [0070.470] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.471] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0070.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.471] lstrlenW (lpString=".doc") returned 4 [0070.471] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString=".docx") returned 5 [0070.471] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0070.471] lstrlenW (lpString=".pdf") returned 4 [0070.471] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString=".xls") returned 4 [0070.471] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString=".xlsx") returned 5 [0070.471] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0070.471] lstrlenW (lpString=".ppt") returned 4 [0070.471] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.471] lstrlenW (lpString=".zip") returned 4 [0070.471] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.471] lstrlenW (lpString=".rar") returned 4 [0070.471] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString=".bz2") returned 4 [0070.471] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.471] lstrlenW (lpString=".7z") returned 3 [0070.471] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.471] lstrlenW (lpString=".dbf") returned 4 [0070.472] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.472] lstrlenW (lpString=".1cd") returned 4 [0070.472] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.472] lstrlenW (lpString=".jpg") returned 4 [0070.472] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.472] lstrlenW (lpString=".doc") returned 4 [0070.472] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString=".docx") returned 5 [0070.472] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0070.472] lstrlenW (lpString=".pdf") returned 4 [0070.472] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString=".xls") returned 4 [0070.472] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString=".xlsx") returned 5 [0070.472] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0070.472] lstrlenW (lpString=".ppt") returned 4 [0070.472] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.472] lstrlenW (lpString=".zip") returned 4 [0070.472] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.472] lstrlenW (lpString=".rar") returned 4 [0070.472] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString=".bz2") returned 4 [0070.472] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.472] lstrlenW (lpString=".7z") returned 3 [0070.472] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.473] lstrlenW (lpString=".dbf") returned 4 [0070.473] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.473] lstrlenW (lpString=".1cd") returned 4 [0070.473] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0070.473] lstrlenW (lpString=".jpg") returned 4 [0070.473] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.473] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.473] lstrlenW (lpString="Setup.xml") returned 9 [0070.473] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.473] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=2624) returned 1 [0070.473] CloseHandle (hObject=0x164) returned 1 [0070.473] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0070.473] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.474] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.474] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0070.474] GetLastError () returned 0x0 [0070.474] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xa40, lpOverlapped=0x0) returned 1 [0070.608] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0070.609] ReadFile (in: hFile=0x164, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.609] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0070.610] SetEndOfFile (hFile=0x1e4) returned 1 [0070.610] CloseHandle (hObject=0x1e4) returned 1 [0070.611] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.611] SetEndOfFile (hFile=0x164) returned 1 [0070.612] CloseHandle (hObject=0x164) returned 1 [0070.612] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.612] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0070.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.613] lstrlenW (lpString=".doc") returned 4 [0070.613] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.613] lstrlenW (lpString=".docx") returned 5 [0070.613] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.613] lstrlenW (lpString=".pdf") returned 4 [0070.613] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.613] lstrlenW (lpString=".xls") returned 4 [0070.613] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.613] lstrlenW (lpString=".xlsx") returned 5 [0070.613] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.613] lstrlenW (lpString=".ppt") returned 4 [0070.613] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.613] lstrlenW (lpString=".zip") returned 4 [0070.613] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.613] lstrlenW (lpString=".rar") returned 4 [0070.614] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString=".bz2") returned 4 [0070.614] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString=".7z") returned 3 [0070.614] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.614] lstrlenW (lpString=".dbf") returned 4 [0070.614] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.614] lstrlenW (lpString=".1cd") returned 4 [0070.614] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.614] lstrlenW (lpString=".jpg") returned 4 [0070.614] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.614] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.614] lstrlenW (lpString=".doc") returned 4 [0070.614] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString=".docx") returned 5 [0070.614] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.614] lstrlenW (lpString=".pdf") returned 4 [0070.614] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString=".xls") returned 4 [0070.614] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.614] lstrlenW (lpString=".xlsx") returned 5 [0070.614] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.614] lstrlenW (lpString=".ppt") returned 4 [0070.614] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.615] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.615] lstrlenW (lpString=".zip") returned 4 [0070.615] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.615] lstrlenW (lpString=".rar") returned 4 [0070.615] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.615] lstrlenW (lpString=".bz2") returned 4 [0070.615] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.615] lstrlenW (lpString=".7z") returned 3 [0070.615] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.615] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.615] lstrlenW (lpString=".dbf") returned 4 [0070.615] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.615] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.615] lstrlenW (lpString=".1cd") returned 4 [0070.615] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.615] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.615] lstrlenW (lpString=".jpg") returned 4 [0070.615] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.615] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.615] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0070.615] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.619] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=16852) returned 1 [0070.619] CloseHandle (hObject=0x1f0) returned 1 [0070.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0070.620] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.620] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.620] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.620] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.620] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0070.620] GetLastError () returned 0x0 [0070.620] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0070.925] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0070.927] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.927] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0070.927] SetEndOfFile (hFile=0x1f4) returned 1 [0070.927] CloseHandle (hObject=0x1f4) returned 1 [0070.929] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.929] SetEndOfFile (hFile=0x1f0) returned 1 [0070.930] CloseHandle (hObject=0x1f0) returned 1 [0070.930] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.930] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString=".doc") returned 4 [0070.931] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString=".docx") returned 5 [0070.931] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.931] lstrlenW (lpString=".pdf") returned 4 [0070.931] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString=".xls") returned 4 [0070.931] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString=".xlsx") returned 5 [0070.931] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.931] lstrlenW (lpString=".ppt") returned 4 [0070.931] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString=".zip") returned 4 [0070.931] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.931] lstrlenW (lpString=".rar") returned 4 [0070.931] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString=".bz2") returned 4 [0070.931] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString=".7z") returned 3 [0070.931] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString=".dbf") returned 4 [0070.931] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString=".1cd") returned 4 [0070.931] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.931] lstrlenW (lpString=".jpg") returned 4 [0070.931] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.932] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.932] lstrlenW (lpString=".doc") returned 4 [0070.932] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString=".docx") returned 5 [0070.932] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.932] lstrlenW (lpString=".pdf") returned 4 [0070.932] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString=".xls") returned 4 [0070.932] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString=".xlsx") returned 5 [0070.932] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.932] lstrlenW (lpString=".ppt") returned 4 [0070.932] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.932] lstrlenW (lpString=".zip") returned 4 [0070.932] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.932] lstrlenW (lpString=".rar") returned 4 [0070.932] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString=".bz2") returned 4 [0070.932] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString=".7z") returned 3 [0070.932] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.932] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.932] lstrlenW (lpString=".dbf") returned 4 [0070.932] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.932] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.932] lstrlenW (lpString=".1cd") returned 4 [0070.932] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0070.933] lstrlenW (lpString=".jpg") returned 4 [0070.933] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.933] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.933] lstrlenW (lpString="Setup.xml") returned 9 [0070.933] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.934] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=16683) returned 1 [0070.934] CloseHandle (hObject=0x1f0) returned 1 [0070.934] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0070.934] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.934] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.934] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.934] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.934] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0070.934] GetLastError () returned 0x0 [0070.934] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x412b, lpOverlapped=0x0) returned 1 [0070.937] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0070.938] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.938] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0070.939] SetEndOfFile (hFile=0x1f4) returned 1 [0070.939] CloseHandle (hObject=0x1f4) returned 1 [0070.943] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.943] SetEndOfFile (hFile=0x1f0) returned 1 [0070.945] CloseHandle (hObject=0x1f0) returned 1 [0070.945] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.945] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0070.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.945] lstrlenW (lpString=".doc") returned 4 [0070.945] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString=".docx") returned 5 [0070.946] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.946] lstrlenW (lpString=".pdf") returned 4 [0070.946] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString=".xls") returned 4 [0070.946] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString=".xlsx") returned 5 [0070.946] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.946] lstrlenW (lpString=".ppt") returned 4 [0070.946] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.946] lstrlenW (lpString=".zip") returned 4 [0070.946] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.946] lstrlenW (lpString=".rar") returned 4 [0070.946] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString=".bz2") returned 4 [0070.946] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString=".7z") returned 3 [0070.946] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.946] lstrlenW (lpString=".dbf") returned 4 [0070.946] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.946] lstrlenW (lpString=".1cd") returned 4 [0070.946] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.946] lstrlenW (lpString=".jpg") returned 4 [0070.947] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.947] lstrlenW (lpString=".doc") returned 4 [0070.947] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString=".docx") returned 5 [0070.947] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.947] lstrlenW (lpString=".pdf") returned 4 [0070.947] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString=".xls") returned 4 [0070.947] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString=".xlsx") returned 5 [0070.947] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.947] lstrlenW (lpString=".ppt") returned 4 [0070.947] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.947] lstrlenW (lpString=".zip") returned 4 [0070.947] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.947] lstrlenW (lpString=".rar") returned 4 [0070.947] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString=".bz2") returned 4 [0070.947] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.947] lstrlenW (lpString=".7z") returned 3 [0070.947] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.948] lstrlenW (lpString=".dbf") returned 4 [0070.948] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.948] lstrlenW (lpString=".1cd") returned 4 [0070.948] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.948] lstrlenW (lpString=".jpg") returned 4 [0070.948] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.948] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.948] lstrlenW (lpString="Office32WW.xml") returned 14 [0070.948] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.949] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=4274) returned 1 [0070.950] CloseHandle (hObject=0x1f0) returned 1 [0070.950] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0070.950] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.950] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0070.950] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.950] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.950] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0070.950] GetLastError () returned 0x0 [0070.951] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0070.953] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0070.954] ReadFile (in: hFile=0x1f0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.954] WriteFile (in: hFile=0x1f4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0070.954] SetEndOfFile (hFile=0x1f4) returned 1 [0070.955] CloseHandle (hObject=0x1f4) returned 1 [0071.082] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.082] SetEndOfFile (hFile=0x1f0) returned 1 [0071.184] CloseHandle (hObject=0x1f0) returned 1 [0071.184] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.193] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0071.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.193] lstrlenW (lpString=".doc") returned 4 [0071.193] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.193] lstrlenW (lpString=".docx") returned 5 [0071.193] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.193] lstrlenW (lpString=".pdf") returned 4 [0071.193] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.193] lstrlenW (lpString=".xls") returned 4 [0071.193] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.193] lstrlenW (lpString=".xlsx") returned 5 [0071.193] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.194] lstrlenW (lpString=".ppt") returned 4 [0071.194] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString=".zip") returned 4 [0071.194] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.194] lstrlenW (lpString=".rar") returned 4 [0071.194] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString=".bz2") returned 4 [0071.194] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString=".7z") returned 3 [0071.194] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString=".dbf") returned 4 [0071.194] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString=".1cd") returned 4 [0071.194] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString=".jpg") returned 4 [0071.194] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.194] lstrlenW (lpString=".doc") returned 4 [0071.194] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString=".docx") returned 5 [0071.195] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.195] lstrlenW (lpString=".pdf") returned 4 [0071.195] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString=".xls") returned 4 [0071.195] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString=".xlsx") returned 5 [0071.195] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.195] lstrlenW (lpString=".ppt") returned 4 [0071.195] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.195] lstrlenW (lpString=".zip") returned 4 [0071.195] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.195] lstrlenW (lpString=".rar") returned 4 [0071.195] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString=".bz2") returned 4 [0071.195] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString=".7z") returned 3 [0071.195] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.195] lstrlenW (lpString=".dbf") returned 4 [0071.195] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.196] lstrlenW (lpString=".1cd") returned 4 [0071.196] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.196] lstrlenW (lpString=".jpg") returned 4 [0071.196] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.272] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0071.272] lstrlenW (lpString="Alphabet.xml") returned 12 [0071.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.643] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=791686) returned 1 [0072.643] CloseHandle (hObject=0x1cc) returned 1 [0072.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0072.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.643] lstrlenW (lpString=".doc") returned 4 [0072.643] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.643] lstrlenW (lpString=".docx") returned 5 [0072.643] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0072.644] lstrlenW (lpString=".pdf") returned 4 [0072.644] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString=".xls") returned 4 [0072.644] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString=".xlsx") returned 5 [0072.644] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0072.644] lstrlenW (lpString=".ppt") returned 4 [0072.644] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.644] lstrlenW (lpString=".zip") returned 4 [0072.644] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.644] lstrlenW (lpString=".rar") returned 4 [0072.644] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString=".bz2") returned 4 [0072.644] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString=".7z") returned 3 [0072.644] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.644] lstrlenW (lpString=".dbf") returned 4 [0072.644] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.644] lstrlenW (lpString=".1cd") returned 4 [0072.644] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.644] lstrlenW (lpString=".jpg") returned 4 [0072.644] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.645] lstrlenW (lpString=".doc") returned 4 [0072.645] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString=".docx") returned 5 [0072.645] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0072.645] lstrlenW (lpString=".pdf") returned 4 [0072.645] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString=".xls") returned 4 [0072.645] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString=".xlsx") returned 5 [0072.645] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0072.645] lstrlenW (lpString=".ppt") returned 4 [0072.645] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.645] lstrlenW (lpString=".zip") returned 4 [0072.645] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.645] lstrlenW (lpString=".rar") returned 4 [0072.645] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString=".bz2") returned 4 [0072.645] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.645] lstrlenW (lpString=".7z") returned 3 [0072.645] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.645] lstrlenW (lpString=".dbf") returned 4 [0072.645] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.646] lstrlenW (lpString=".1cd") returned 4 [0072.646] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0072.646] lstrlenW (lpString=".jpg") returned 4 [0072.646] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.646] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.646] lstrlenW (lpString="base.xml") returned 8 [0072.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.798] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=3150) returned 1 [0072.798] CloseHandle (hObject=0x1ec) returned 1 [0072.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0072.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.798] lstrlenW (lpString=".doc") returned 4 [0072.798] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString=".docx") returned 5 [0072.799] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.799] lstrlenW (lpString=".pdf") returned 4 [0072.799] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString=".xls") returned 4 [0072.799] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString=".xlsx") returned 5 [0072.799] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.799] lstrlenW (lpString=".ppt") returned 4 [0072.799] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.799] lstrlenW (lpString=".zip") returned 4 [0072.799] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.799] lstrlenW (lpString=".rar") returned 4 [0072.799] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString=".bz2") returned 4 [0072.799] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString=".7z") returned 3 [0072.799] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.799] lstrlenW (lpString=".dbf") returned 4 [0072.799] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.799] lstrlenW (lpString=".1cd") returned 4 [0072.799] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.799] lstrlenW (lpString=".jpg") returned 4 [0072.799] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.800] lstrlenW (lpString=".doc") returned 4 [0072.800] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString=".docx") returned 5 [0072.800] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.800] lstrlenW (lpString=".pdf") returned 4 [0072.800] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString=".xls") returned 4 [0072.800] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString=".xlsx") returned 5 [0072.800] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.800] lstrlenW (lpString=".ppt") returned 4 [0072.800] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.800] lstrlenW (lpString=".zip") returned 4 [0072.800] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.800] lstrlenW (lpString=".rar") returned 4 [0072.800] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString=".bz2") returned 4 [0072.800] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString=".7z") returned 3 [0072.800] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.800] lstrlenW (lpString=".dbf") returned 4 [0072.800] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.800] lstrlenW (lpString=".1cd") returned 4 [0072.801] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0072.801] lstrlenW (lpString=".jpg") returned 4 [0072.801] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.801] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.801] lstrlenW (lpString="base_ca.xml") returned 11 [0072.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.801] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=3166) returned 1 [0072.801] CloseHandle (hObject=0x1ec) returned 1 [0072.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0072.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.802] lstrlenW (lpString=".doc") returned 4 [0072.802] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.802] lstrlenW (lpString=".docx") returned 5 [0072.802] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0072.802] lstrlenW (lpString=".pdf") returned 4 [0072.802] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.802] lstrlenW (lpString=".xls") returned 4 [0072.802] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.802] lstrlenW (lpString=".xlsx") returned 5 [0072.802] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0072.802] lstrlenW (lpString=".ppt") returned 4 [0072.802] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.802] lstrlenW (lpString=".zip") returned 4 [0072.802] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.802] lstrlenW (lpString=".rar") returned 4 [0072.802] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.802] lstrlenW (lpString=".bz2") returned 4 [0072.803] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString=".7z") returned 3 [0072.803] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.803] lstrlenW (lpString=".dbf") returned 4 [0072.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.803] lstrlenW (lpString=".1cd") returned 4 [0072.803] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.803] lstrlenW (lpString=".jpg") returned 4 [0072.803] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.803] lstrlenW (lpString=".doc") returned 4 [0072.803] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString=".docx") returned 5 [0072.803] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0072.803] lstrlenW (lpString=".pdf") returned 4 [0072.803] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString=".xls") returned 4 [0072.803] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.803] lstrlenW (lpString=".xlsx") returned 5 [0072.803] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0072.803] lstrlenW (lpString=".ppt") returned 4 [0072.803] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.804] lstrlenW (lpString=".zip") returned 4 [0072.804] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.804] lstrlenW (lpString=".rar") returned 4 [0072.804] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.804] lstrlenW (lpString=".bz2") returned 4 [0072.804] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.804] lstrlenW (lpString=".7z") returned 3 [0072.804] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.804] lstrlenW (lpString=".dbf") returned 4 [0072.804] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.804] lstrlenW (lpString=".1cd") returned 4 [0072.804] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0072.804] lstrlenW (lpString=".jpg") returned 4 [0072.804] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.804] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.804] lstrlenW (lpString="base_heb.xml") returned 12 [0072.804] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.807] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=738) returned 1 [0072.807] CloseHandle (hObject=0x1ec) returned 1 [0072.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0072.808] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.808] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.808] lstrlenW (lpString=".doc") returned 4 [0072.808] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.808] lstrlenW (lpString=".docx") returned 5 [0072.808] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0072.808] lstrlenW (lpString=".pdf") returned 4 [0072.808] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.808] lstrlenW (lpString=".xls") returned 4 [0072.808] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.808] lstrlenW (lpString=".xlsx") returned 5 [0072.808] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0072.808] lstrlenW (lpString=".ppt") returned 4 [0072.808] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.808] lstrlenW (lpString=".zip") returned 4 [0072.808] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.808] lstrlenW (lpString=".rar") returned 4 [0072.808] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.808] lstrlenW (lpString=".bz2") returned 4 [0072.808] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString=".7z") returned 3 [0072.809] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString=".dbf") returned 4 [0072.809] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString=".1cd") returned 4 [0072.809] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString=".jpg") returned 4 [0072.809] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString=".doc") returned 4 [0072.809] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString=".docx") returned 5 [0072.809] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0072.809] lstrlenW (lpString=".pdf") returned 4 [0072.809] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString=".xls") returned 4 [0072.809] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString=".xlsx") returned 5 [0072.809] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0072.809] lstrlenW (lpString=".ppt") returned 4 [0072.809] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.809] lstrlenW (lpString=".zip") returned 4 [0072.810] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.810] lstrlenW (lpString=".rar") returned 4 [0072.810] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.810] lstrlenW (lpString=".bz2") returned 4 [0072.810] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.810] lstrlenW (lpString=".7z") returned 3 [0072.810] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.810] lstrlenW (lpString=".dbf") returned 4 [0072.810] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.810] lstrlenW (lpString=".1cd") returned 4 [0072.810] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0072.810] lstrlenW (lpString=".jpg") returned 4 [0072.810] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.810] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.810] lstrlenW (lpString="base_jpn.xml") returned 12 [0072.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.811] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=804) returned 1 [0072.811] CloseHandle (hObject=0x1ec) returned 1 [0072.811] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0072.811] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.811] lstrlenW (lpString=".doc") returned 4 [0072.811] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.811] lstrlenW (lpString=".docx") returned 5 [0072.811] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0072.811] lstrlenW (lpString=".pdf") returned 4 [0072.811] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.812] lstrlenW (lpString=".xls") returned 4 [0072.812] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.812] lstrlenW (lpString=".xlsx") returned 5 [0072.812] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0072.812] lstrlenW (lpString=".ppt") returned 4 [0072.812] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.812] lstrlenW (lpString=".zip") returned 4 [0072.812] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.812] lstrlenW (lpString=".rar") returned 4 [0072.812] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.812] lstrlenW (lpString=".bz2") returned 4 [0072.812] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.812] lstrlenW (lpString=".7z") returned 3 [0072.812] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString=".dbf") returned 4 [0072.813] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString=".1cd") returned 4 [0072.813] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString=".jpg") returned 4 [0072.813] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString=".doc") returned 4 [0072.813] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString=".docx") returned 5 [0072.813] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0072.813] lstrlenW (lpString=".pdf") returned 4 [0072.813] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString=".xls") returned 4 [0072.813] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString=".xlsx") returned 5 [0072.813] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0072.813] lstrlenW (lpString=".ppt") returned 4 [0072.813] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.813] lstrlenW (lpString=".zip") returned 4 [0072.813] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.814] lstrlenW (lpString=".rar") returned 4 [0072.814] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.814] lstrlenW (lpString=".bz2") returned 4 [0072.814] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.814] lstrlenW (lpString=".7z") returned 3 [0072.814] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.814] lstrlenW (lpString=".dbf") returned 4 [0072.814] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.814] lstrlenW (lpString=".1cd") returned 4 [0072.814] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0072.814] lstrlenW (lpString=".jpg") returned 4 [0072.814] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.814] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.814] lstrlenW (lpString="base_kor.xml") returned 12 [0072.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.815] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=488) returned 1 [0072.815] CloseHandle (hObject=0x1ec) returned 1 [0072.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0072.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.816] lstrlenW (lpString=".doc") returned 4 [0072.816] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.816] lstrlenW (lpString=".docx") returned 5 [0072.816] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0072.816] lstrlenW (lpString=".pdf") returned 4 [0072.816] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.816] lstrlenW (lpString=".xls") returned 4 [0072.816] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.816] lstrlenW (lpString=".xlsx") returned 5 [0072.816] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0072.816] lstrlenW (lpString=".ppt") returned 4 [0072.816] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.816] lstrlenW (lpString=".zip") returned 4 [0072.816] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.816] lstrlenW (lpString=".rar") returned 4 [0072.816] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.816] lstrlenW (lpString=".bz2") returned 4 [0072.817] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString=".7z") returned 3 [0072.817] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.817] lstrlenW (lpString=".dbf") returned 4 [0072.817] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.817] lstrlenW (lpString=".1cd") returned 4 [0072.817] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.817] lstrlenW (lpString=".jpg") returned 4 [0072.817] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.817] lstrlenW (lpString=".doc") returned 4 [0072.817] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString=".docx") returned 5 [0072.817] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0072.817] lstrlenW (lpString=".pdf") returned 4 [0072.817] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString=".xls") returned 4 [0072.817] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString=".xlsx") returned 5 [0072.817] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0072.817] lstrlenW (lpString=".ppt") returned 4 [0072.817] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.818] lstrlenW (lpString=".zip") returned 4 [0072.818] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.818] lstrlenW (lpString=".rar") returned 4 [0072.818] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.818] lstrlenW (lpString=".bz2") returned 4 [0072.818] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.818] lstrlenW (lpString=".7z") returned 3 [0072.818] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.818] lstrlenW (lpString=".dbf") returned 4 [0072.818] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.818] lstrlenW (lpString=".1cd") returned 4 [0072.818] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0072.818] lstrlenW (lpString=".jpg") returned 4 [0072.818] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.818] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.818] lstrlenW (lpString="base_rtl.xml") returned 12 [0072.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.819] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=617) returned 1 [0072.819] CloseHandle (hObject=0x1ec) returned 1 [0072.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml")) returned 0x20 [0072.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0072.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0072.819] lstrlenW (lpString=".doc") returned 4 [0072.819] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.819] lstrlenW (lpString=".docx") returned 5 [0072.819] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0072.819] lstrlenW (lpString=".pdf") returned 4 [0072.819] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.819] lstrlenW (lpString=".xls") returned 4 [0072.820] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.820] lstrlenW (lpString=".xlsx") returned 5 [0072.820] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0072.820] lstrlenW (lpString=".ppt") returned 4 [0072.820] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0072.820] lstrlenW (lpString=".zip") returned 4 [0072.820] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.820] lstrlenW (lpString=".rar") returned 4 [0072.820] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.820] lstrlenW (lpString=".bz2") returned 4 [0072.820] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.820] lstrlenW (lpString=".7z") returned 3 [0072.820] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0072.820] lstrlenW (lpString=".dbf") returned 4 [0072.820] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0073.531] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=2296) returned 1 [0073.531] CloseHandle (hObject=0x1b0) returned 1 [0073.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0073.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.531] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.532] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.547] GetLastError () returned 0x0 [0073.547] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0073.549] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x900, lpOverlapped=0x0) returned 1 [0073.550] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.550] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0073.550] SetEndOfFile (hFile=0x1ec) returned 1 [0073.550] CloseHandle (hObject=0x1ec) returned 1 [0073.551] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.552] SetEndOfFile (hFile=0x1b0) returned 1 [0073.553] CloseHandle (hObject=0x1b0) returned 1 [0073.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.553] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0073.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.553] lstrlenW (lpString=".doc") returned 4 [0073.553] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.553] lstrlenW (lpString=".docx") returned 5 [0073.553] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.553] lstrlenW (lpString=".pdf") returned 4 [0073.554] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString=".xls") returned 4 [0073.554] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString=".xlsx") returned 5 [0073.554] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.554] lstrlenW (lpString=".ppt") returned 4 [0073.554] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.554] lstrlenW (lpString=".zip") returned 4 [0073.554] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.554] lstrlenW (lpString=".rar") returned 4 [0073.554] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString=".bz2") returned 4 [0073.554] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString=".7z") returned 3 [0073.554] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.554] lstrlenW (lpString=".dbf") returned 4 [0073.554] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.554] lstrlenW (lpString=".1cd") returned 4 [0073.554] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.554] lstrlenW (lpString=".jpg") returned 4 [0073.554] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.555] lstrlenW (lpString=".doc") returned 4 [0073.555] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString=".docx") returned 5 [0073.555] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.555] lstrlenW (lpString=".pdf") returned 4 [0073.555] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString=".xls") returned 4 [0073.555] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString=".xlsx") returned 5 [0073.555] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.555] lstrlenW (lpString=".ppt") returned 4 [0073.555] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.555] lstrlenW (lpString=".zip") returned 4 [0073.555] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.555] lstrlenW (lpString=".rar") returned 4 [0073.555] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString=".bz2") returned 4 [0073.555] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString=".7z") returned 3 [0073.555] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.555] lstrlenW (lpString=".dbf") returned 4 [0073.555] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.556] lstrlenW (lpString=".1cd") returned 4 [0073.556] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0073.556] lstrlenW (lpString=".jpg") returned 4 [0073.556] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.556] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.556] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0073.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.557] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1231) returned 1 [0073.557] CloseHandle (hObject=0x1b0) returned 1 [0073.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0073.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.557] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.557] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.557] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.559] GetLastError () returned 0x0 [0073.560] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0073.562] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0073.563] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.563] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0073.563] SetEndOfFile (hFile=0x1ec) returned 1 [0073.563] CloseHandle (hObject=0x1ec) returned 1 [0073.564] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.565] SetEndOfFile (hFile=0x1b0) returned 1 [0073.566] CloseHandle (hObject=0x1b0) returned 1 [0073.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.566] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0073.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.566] lstrlenW (lpString=".doc") returned 4 [0073.566] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.566] lstrlenW (lpString=".docx") returned 5 [0073.566] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0073.566] lstrlenW (lpString=".pdf") returned 4 [0073.566] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString=".xls") returned 4 [0073.567] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString=".xlsx") returned 5 [0073.567] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0073.567] lstrlenW (lpString=".ppt") returned 4 [0073.567] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.567] lstrlenW (lpString=".zip") returned 4 [0073.567] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.567] lstrlenW (lpString=".rar") returned 4 [0073.567] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString=".bz2") returned 4 [0073.567] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString=".7z") returned 3 [0073.567] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.567] lstrlenW (lpString=".dbf") returned 4 [0073.567] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.567] lstrlenW (lpString=".1cd") returned 4 [0073.567] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.567] lstrlenW (lpString=".jpg") returned 4 [0073.567] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.568] lstrlenW (lpString=".doc") returned 4 [0073.568] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString=".docx") returned 5 [0073.568] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0073.568] lstrlenW (lpString=".pdf") returned 4 [0073.568] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString=".xls") returned 4 [0073.568] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString=".xlsx") returned 5 [0073.568] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0073.568] lstrlenW (lpString=".ppt") returned 4 [0073.568] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.568] lstrlenW (lpString=".zip") returned 4 [0073.568] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.568] lstrlenW (lpString=".rar") returned 4 [0073.568] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString=".bz2") returned 4 [0073.568] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString=".7z") returned 3 [0073.568] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.568] lstrlenW (lpString=".dbf") returned 4 [0073.568] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.568] lstrlenW (lpString=".1cd") returned 4 [0073.568] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0073.569] lstrlenW (lpString=".jpg") returned 4 [0073.569] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.569] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.569] lstrlenW (lpString="SETUP.XML") returned 9 [0073.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.569] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1852) returned 1 [0073.569] CloseHandle (hObject=0x1b0) returned 1 [0073.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0073.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.570] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.570] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.571] GetLastError () returned 0x0 [0073.571] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x73c, lpOverlapped=0x0) returned 1 [0073.573] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x740, lpOverlapped=0x0) returned 1 [0073.574] ReadFile (in: hFile=0x1b0, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.574] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0073.575] SetEndOfFile (hFile=0x1ec) returned 1 [0073.575] CloseHandle (hObject=0x1ec) returned 1 [0073.576] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.576] SetEndOfFile (hFile=0x1b0) returned 1 [0073.577] CloseHandle (hObject=0x1b0) returned 1 [0073.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.577] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0073.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.578] lstrlenW (lpString=".doc") returned 4 [0073.578] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString=".docx") returned 5 [0073.578] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.578] lstrlenW (lpString=".pdf") returned 4 [0073.578] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString=".xls") returned 4 [0073.578] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString=".xlsx") returned 5 [0073.578] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.578] lstrlenW (lpString=".ppt") returned 4 [0073.578] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.578] lstrlenW (lpString=".zip") returned 4 [0073.578] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.578] lstrlenW (lpString=".rar") returned 4 [0073.578] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString=".bz2") returned 4 [0073.578] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.578] lstrlenW (lpString=".7z") returned 3 [0073.578] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.578] lstrlenW (lpString=".dbf") returned 4 [0073.578] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.579] lstrlenW (lpString=".1cd") returned 4 [0073.579] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.579] lstrlenW (lpString=".jpg") returned 4 [0073.579] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.579] lstrlenW (lpString=".doc") returned 4 [0073.579] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString=".docx") returned 5 [0073.579] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.579] lstrlenW (lpString=".pdf") returned 4 [0073.579] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString=".xls") returned 4 [0073.579] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString=".xlsx") returned 5 [0073.579] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.579] lstrlenW (lpString=".ppt") returned 4 [0073.579] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.579] lstrlenW (lpString=".zip") returned 4 [0073.579] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.579] lstrlenW (lpString=".rar") returned 4 [0073.579] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.579] lstrlenW (lpString=".bz2") returned 4 [0073.580] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.580] lstrlenW (lpString=".7z") returned 3 [0073.580] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.580] lstrlenW (lpString=".dbf") returned 4 [0073.580] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.580] lstrlenW (lpString=".1cd") returned 4 [0073.580] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0073.580] lstrlenW (lpString=".jpg") returned 4 [0073.580] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.580] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.580] lstrlenW (lpString="BRANDING.XML") returned 12 [0073.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0074.018] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=596341) returned 1 [0074.018] CloseHandle (hObject=0x1b8) returned 1 [0074.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0074.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0074.019] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.019] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0074.019] GetLastError () returned 0x0 [0074.019] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x91975, lpOverlapped=0x0) returned 1 [0074.038] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0074.052] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.052] WriteFile (in: hFile=0x1e4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0074.053] SetEndOfFile (hFile=0x1e4) returned 1 [0074.053] CloseHandle (hObject=0x1e4) returned 1 [0074.459] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.460] SetEndOfFile (hFile=0x1b8) returned 1 [0074.470] CloseHandle (hObject=0x1b8) returned 1 [0074.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.470] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString=".doc") returned 4 [0074.471] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString=".docx") returned 5 [0074.471] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0074.471] lstrlenW (lpString=".pdf") returned 4 [0074.471] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString=".xls") returned 4 [0074.471] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString=".xlsx") returned 5 [0074.471] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0074.471] lstrlenW (lpString=".ppt") returned 4 [0074.471] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString=".zip") returned 4 [0074.471] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.471] lstrlenW (lpString=".rar") returned 4 [0074.471] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString=".bz2") returned 4 [0074.471] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString=".7z") returned 3 [0074.471] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString=".dbf") returned 4 [0074.471] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString=".1cd") returned 4 [0074.471] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString=".jpg") returned 4 [0074.471] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.472] lstrlenW (lpString=".doc") returned 4 [0074.472] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString=".docx") returned 5 [0074.472] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0074.472] lstrlenW (lpString=".pdf") returned 4 [0074.472] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString=".xls") returned 4 [0074.472] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString=".xlsx") returned 5 [0074.472] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0074.472] lstrlenW (lpString=".ppt") returned 4 [0074.472] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.472] lstrlenW (lpString=".zip") returned 4 [0074.472] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.472] lstrlenW (lpString=".rar") returned 4 [0074.472] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString=".bz2") returned 4 [0074.472] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString=".7z") returned 3 [0074.472] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.472] lstrlenW (lpString=".dbf") returned 4 [0074.472] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.472] lstrlenW (lpString=".1cd") returned 4 [0074.472] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0074.472] lstrlenW (lpString=".jpg") returned 4 [0074.472] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.472] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0074.473] lstrlenW (lpString="SETUP.CHM") returned 9 [0074.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0074.652] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=67190) returned 1 [0074.652] CloseHandle (hObject=0x1e4) returned 1 [0074.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0074.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.652] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0074.652] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.652] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.653] GetLastError () returned 0x0 [0074.653] ReadFile (in: hFile=0x1e4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x10676, lpOverlapped=0x0) returned 1 [0075.364] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0075.366] ReadFile (in: hFile=0x1e4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0075.366] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0075.366] SetEndOfFile (hFile=0x1c8) returned 1 [0075.366] CloseHandle (hObject=0x1c8) returned 1 [0075.373] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.373] SetEndOfFile (hFile=0x1e4) returned 1 [0075.374] CloseHandle (hObject=0x1e4) returned 1 [0075.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0075.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.375] lstrlenW (lpString=".doc") returned 4 [0075.375] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0075.375] lstrlenW (lpString=".docx") returned 5 [0075.375] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0075.375] lstrlenW (lpString=".pdf") returned 4 [0075.375] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0075.375] lstrlenW (lpString=".xls") returned 4 [0075.375] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0075.375] lstrlenW (lpString=".xlsx") returned 5 [0075.375] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0075.375] lstrlenW (lpString=".ppt") returned 4 [0075.375] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0075.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".zip") returned 4 [0075.376] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".rar") returned 4 [0075.376] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".bz2") returned 4 [0075.376] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0075.376] lstrlenW (lpString=".7z") returned 3 [0075.376] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".dbf") returned 4 [0075.376] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".1cd") returned 4 [0075.376] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".jpg") returned 4 [0075.376] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".doc") returned 4 [0075.376] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".docx") returned 5 [0075.376] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0075.376] lstrlenW (lpString=".pdf") returned 4 [0075.376] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".xls") returned 4 [0075.376] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".xlsx") returned 5 [0075.376] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0075.376] lstrlenW (lpString=".ppt") returned 4 [0075.376] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.376] lstrlenW (lpString=".zip") returned 4 [0075.376] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0075.376] lstrlenW (lpString=".rar") returned 4 [0075.377] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0075.377] lstrlenW (lpString=".bz2") returned 4 [0075.377] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0075.377] lstrlenW (lpString=".7z") returned 3 [0075.377] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0075.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.377] lstrlenW (lpString=".dbf") returned 4 [0075.377] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0075.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.377] lstrlenW (lpString=".1cd") returned 4 [0075.377] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0075.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0075.377] lstrlenW (lpString=".jpg") returned 4 [0075.377] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0075.377] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.377] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0075.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0075.377] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1606) returned 1 [0075.378] CloseHandle (hObject=0x1e4) returned 1 [0075.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0075.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0075.378] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.378] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0075.752] GetLastError () returned 0x0 [0075.752] ReadFile (in: hFile=0x1e4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x646, lpOverlapped=0x0) returned 1 [0075.791] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x650, lpOverlapped=0x0) returned 1 [0075.793] ReadFile (in: hFile=0x1e4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0075.793] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0075.793] SetEndOfFile (hFile=0x1d4) returned 1 [0075.793] CloseHandle (hObject=0x1d4) returned 1 [0075.794] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.794] SetEndOfFile (hFile=0x1e4) returned 1 [0075.795] CloseHandle (hObject=0x1e4) returned 1 [0075.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.795] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0075.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.796] lstrlenW (lpString=".doc") returned 4 [0075.796] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.796] lstrlenW (lpString=".docx") returned 5 [0075.796] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.796] lstrlenW (lpString=".pdf") returned 4 [0075.796] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.796] lstrlenW (lpString=".xls") returned 4 [0075.796] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.796] lstrlenW (lpString=".xlsx") returned 5 [0075.796] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.796] lstrlenW (lpString=".ppt") returned 4 [0075.796] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.796] lstrlenW (lpString=".zip") returned 4 [0075.796] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.796] lstrlenW (lpString=".rar") returned 4 [0075.796] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString=".bz2") returned 4 [0075.797] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString=".7z") returned 3 [0075.797] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.797] lstrlenW (lpString=".dbf") returned 4 [0075.797] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.797] lstrlenW (lpString=".1cd") returned 4 [0075.797] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.797] lstrlenW (lpString=".jpg") returned 4 [0075.797] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.797] lstrlenW (lpString=".doc") returned 4 [0075.797] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString=".docx") returned 5 [0075.797] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.797] lstrlenW (lpString=".pdf") returned 4 [0075.797] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString=".xls") returned 4 [0075.797] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.797] lstrlenW (lpString=".xlsx") returned 5 [0075.797] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.797] lstrlenW (lpString=".ppt") returned 4 [0075.797] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.798] lstrlenW (lpString=".zip") returned 4 [0075.798] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.798] lstrlenW (lpString=".rar") returned 4 [0075.798] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.798] lstrlenW (lpString=".bz2") returned 4 [0075.798] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.798] lstrlenW (lpString=".7z") returned 3 [0075.798] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.798] lstrlenW (lpString=".dbf") returned 4 [0075.798] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.798] lstrlenW (lpString=".1cd") returned 4 [0075.798] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0075.798] lstrlenW (lpString=".jpg") returned 4 [0075.798] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.884] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.884] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0075.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0075.884] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1450) returned 1 [0075.885] CloseHandle (hObject=0x20c) returned 1 [0075.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0075.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0075.885] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.885] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0077.813] GetLastError () returned 0x0 [0077.813] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0077.852] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0077.853] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.853] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0077.853] SetEndOfFile (hFile=0x1e8) returned 1 [0077.853] CloseHandle (hObject=0x1e8) returned 1 [0077.857] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.857] SetEndOfFile (hFile=0x20c) returned 1 [0077.858] CloseHandle (hObject=0x20c) returned 1 [0077.859] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.859] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0077.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.859] lstrlenW (lpString=".doc") returned 4 [0077.859] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.859] lstrlenW (lpString=".docx") returned 5 [0077.859] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0077.859] lstrlenW (lpString=".pdf") returned 4 [0077.859] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString=".xls") returned 4 [0077.860] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString=".xlsx") returned 5 [0077.860] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0077.860] lstrlenW (lpString=".ppt") returned 4 [0077.860] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.860] lstrlenW (lpString=".zip") returned 4 [0077.860] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.860] lstrlenW (lpString=".rar") returned 4 [0077.860] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString=".bz2") returned 4 [0077.860] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString=".7z") returned 3 [0077.860] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.860] lstrlenW (lpString=".dbf") returned 4 [0077.860] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.860] lstrlenW (lpString=".1cd") returned 4 [0077.860] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.860] lstrlenW (lpString=".jpg") returned 4 [0077.860] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.861] lstrlenW (lpString=".doc") returned 4 [0077.861] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString=".docx") returned 5 [0077.861] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0077.861] lstrlenW (lpString=".pdf") returned 4 [0077.861] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString=".xls") returned 4 [0077.861] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString=".xlsx") returned 5 [0077.861] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0077.861] lstrlenW (lpString=".ppt") returned 4 [0077.861] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.861] lstrlenW (lpString=".zip") returned 4 [0077.861] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.861] lstrlenW (lpString=".rar") returned 4 [0077.861] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString=".bz2") returned 4 [0077.861] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString=".7z") returned 3 [0077.861] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.861] lstrlenW (lpString=".dbf") returned 4 [0077.861] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.861] lstrlenW (lpString=".1cd") returned 4 [0077.861] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0077.862] lstrlenW (lpString=".jpg") returned 4 [0077.862] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.862] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.862] lstrlenW (lpString="Proof.XML") returned 9 [0077.862] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.862] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1347) returned 1 [0077.862] CloseHandle (hObject=0x20c) returned 1 [0077.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0077.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.863] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.863] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0077.863] GetLastError () returned 0x0 [0077.863] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x543, lpOverlapped=0x0) returned 1 [0077.866] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x550, lpOverlapped=0x0) returned 1 [0077.867] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.867] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.867] SetEndOfFile (hFile=0x1e8) returned 1 [0077.867] CloseHandle (hObject=0x1e8) returned 1 [0077.868] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.868] SetEndOfFile (hFile=0x20c) returned 1 [0077.870] CloseHandle (hObject=0x20c) returned 1 [0077.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.870] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0077.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.870] lstrlenW (lpString=".doc") returned 4 [0077.870] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString=".docx") returned 5 [0077.871] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0077.871] lstrlenW (lpString=".pdf") returned 4 [0077.871] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString=".xls") returned 4 [0077.871] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString=".xlsx") returned 5 [0077.871] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0077.871] lstrlenW (lpString=".ppt") returned 4 [0077.871] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.871] lstrlenW (lpString=".zip") returned 4 [0077.871] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.871] lstrlenW (lpString=".rar") returned 4 [0077.871] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString=".bz2") returned 4 [0077.871] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString=".7z") returned 3 [0077.871] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.871] lstrlenW (lpString=".dbf") returned 4 [0077.871] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.871] lstrlenW (lpString=".1cd") returned 4 [0077.871] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.871] lstrlenW (lpString=".jpg") returned 4 [0077.871] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.872] lstrlenW (lpString=".doc") returned 4 [0077.872] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString=".docx") returned 5 [0077.872] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0077.872] lstrlenW (lpString=".pdf") returned 4 [0077.872] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString=".xls") returned 4 [0077.872] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString=".xlsx") returned 5 [0077.872] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0077.872] lstrlenW (lpString=".ppt") returned 4 [0077.872] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.872] lstrlenW (lpString=".zip") returned 4 [0077.872] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.872] lstrlenW (lpString=".rar") returned 4 [0077.872] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString=".bz2") returned 4 [0077.872] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.872] lstrlenW (lpString=".7z") returned 3 [0077.872] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.872] lstrlenW (lpString=".dbf") returned 4 [0077.872] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.873] lstrlenW (lpString=".1cd") returned 4 [0077.873] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0077.873] lstrlenW (lpString=".jpg") returned 4 [0077.873] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.873] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.873] lstrlenW (lpString="Proof.XML") returned 9 [0077.873] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.874] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1457) returned 1 [0077.874] CloseHandle (hObject=0x20c) returned 1 [0077.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0077.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.875] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.875] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.875] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.875] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0077.875] GetLastError () returned 0x0 [0077.875] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0077.877] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0077.879] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.879] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.879] SetEndOfFile (hFile=0x1e8) returned 1 [0077.879] CloseHandle (hObject=0x1e8) returned 1 [0077.882] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.882] SetEndOfFile (hFile=0x20c) returned 1 [0077.886] CloseHandle (hObject=0x20c) returned 1 [0077.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.886] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0077.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.887] lstrlenW (lpString=".doc") returned 4 [0077.887] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString=".docx") returned 5 [0077.887] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0077.887] lstrlenW (lpString=".pdf") returned 4 [0077.887] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString=".xls") returned 4 [0077.887] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString=".xlsx") returned 5 [0077.887] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0077.887] lstrlenW (lpString=".ppt") returned 4 [0077.887] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.887] lstrlenW (lpString=".zip") returned 4 [0077.887] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.887] lstrlenW (lpString=".rar") returned 4 [0077.887] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString=".bz2") returned 4 [0077.887] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.887] lstrlenW (lpString=".7z") returned 3 [0077.887] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString=".dbf") returned 4 [0077.888] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString=".1cd") returned 4 [0077.888] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString=".jpg") returned 4 [0077.888] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString=".doc") returned 4 [0077.888] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString=".docx") returned 5 [0077.888] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0077.888] lstrlenW (lpString=".pdf") returned 4 [0077.888] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString=".xls") returned 4 [0077.888] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString=".xlsx") returned 5 [0077.888] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0077.888] lstrlenW (lpString=".ppt") returned 4 [0077.888] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.888] lstrlenW (lpString=".zip") returned 4 [0077.889] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.889] lstrlenW (lpString=".rar") returned 4 [0077.889] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.889] lstrlenW (lpString=".bz2") returned 4 [0077.889] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.889] lstrlenW (lpString=".7z") returned 3 [0077.889] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.889] lstrlenW (lpString=".dbf") returned 4 [0077.889] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.889] lstrlenW (lpString=".1cd") returned 4 [0077.889] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0077.889] lstrlenW (lpString=".jpg") returned 4 [0077.889] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.889] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.889] lstrlenW (lpString="Proof.XML") returned 9 [0077.889] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.890] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1458) returned 1 [0077.890] CloseHandle (hObject=0x20c) returned 1 [0077.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0077.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0077.890] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.890] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0077.891] GetLastError () returned 0x0 [0077.891] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0078.268] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0078.269] ReadFile (in: hFile=0x20c, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.269] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.269] SetEndOfFile (hFile=0x1e8) returned 1 [0078.269] CloseHandle (hObject=0x1e8) returned 1 [0078.273] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.273] SetEndOfFile (hFile=0x20c) returned 1 [0078.274] CloseHandle (hObject=0x20c) returned 1 [0078.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.275] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0078.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.275] lstrlenW (lpString=".doc") returned 4 [0078.275] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.275] lstrlenW (lpString=".docx") returned 5 [0078.275] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0078.275] lstrlenW (lpString=".pdf") returned 4 [0078.275] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.275] lstrlenW (lpString=".xls") returned 4 [0078.275] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.275] lstrlenW (lpString=".xlsx") returned 5 [0078.275] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0078.275] lstrlenW (lpString=".ppt") returned 4 [0078.275] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString=".zip") returned 4 [0078.276] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.276] lstrlenW (lpString=".rar") returned 4 [0078.276] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString=".bz2") returned 4 [0078.276] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString=".7z") returned 3 [0078.276] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString=".dbf") returned 4 [0078.276] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString=".1cd") returned 4 [0078.276] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString=".jpg") returned 4 [0078.276] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.276] lstrlenW (lpString=".doc") returned 4 [0078.276] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString=".docx") returned 5 [0078.276] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0078.276] lstrlenW (lpString=".pdf") returned 4 [0078.276] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString=".xls") returned 4 [0078.276] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.276] lstrlenW (lpString=".xlsx") returned 5 [0078.276] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0078.277] lstrlenW (lpString=".ppt") returned 4 [0078.277] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.277] lstrlenW (lpString=".zip") returned 4 [0078.277] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.277] lstrlenW (lpString=".rar") returned 4 [0078.277] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.277] lstrlenW (lpString=".bz2") returned 4 [0078.277] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.277] lstrlenW (lpString=".7z") returned 3 [0078.277] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.277] lstrlenW (lpString=".dbf") returned 4 [0078.277] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.277] lstrlenW (lpString=".1cd") returned 4 [0078.277] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0078.277] lstrlenW (lpString=".jpg") returned 4 [0078.277] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.277] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.277] lstrlenW (lpString="SETUP.XML") returned 9 [0078.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.319] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=6241) returned 1 [0078.319] CloseHandle (hObject=0x204) returned 1 [0078.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0078.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.320] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.320] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0078.320] GetLastError () returned 0x0 [0078.320] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x1861, lpOverlapped=0x0) returned 1 [0078.352] WriteFile (in: hFile=0x20c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0078.353] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.353] WriteFile (in: hFile=0x20c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.353] SetEndOfFile (hFile=0x20c) returned 1 [0078.353] CloseHandle (hObject=0x20c) returned 1 [0078.363] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.364] SetEndOfFile (hFile=0x204) returned 1 [0078.364] CloseHandle (hObject=0x204) returned 1 [0078.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.365] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0078.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.365] lstrlenW (lpString=".doc") returned 4 [0078.365] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.365] lstrlenW (lpString=".docx") returned 5 [0078.365] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.365] lstrlenW (lpString=".pdf") returned 4 [0078.365] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.365] lstrlenW (lpString=".xls") returned 4 [0078.365] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.365] lstrlenW (lpString=".xlsx") returned 5 [0078.366] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.366] lstrlenW (lpString=".ppt") returned 4 [0078.366] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString=".zip") returned 4 [0078.366] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.366] lstrlenW (lpString=".rar") returned 4 [0078.366] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString=".bz2") returned 4 [0078.366] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString=".7z") returned 3 [0078.366] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString=".dbf") returned 4 [0078.366] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString=".1cd") returned 4 [0078.366] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString=".jpg") returned 4 [0078.366] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.366] lstrlenW (lpString=".doc") returned 4 [0078.366] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString=".docx") returned 5 [0078.366] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.366] lstrlenW (lpString=".pdf") returned 4 [0078.366] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString=".xls") returned 4 [0078.366] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.366] lstrlenW (lpString=".xlsx") returned 5 [0078.366] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.366] lstrlenW (lpString=".ppt") returned 4 [0078.367] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.367] lstrlenW (lpString=".zip") returned 4 [0078.367] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.367] lstrlenW (lpString=".rar") returned 4 [0078.367] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.367] lstrlenW (lpString=".bz2") returned 4 [0078.367] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.367] lstrlenW (lpString=".7z") returned 3 [0078.367] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.367] lstrlenW (lpString=".dbf") returned 4 [0078.367] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.367] lstrlenW (lpString=".1cd") returned 4 [0078.367] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0078.367] lstrlenW (lpString=".jpg") returned 4 [0078.367] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.367] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.367] lstrlenW (lpString="VisioMUI.XML") returned 12 [0078.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.408] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=9503) returned 1 [0078.408] CloseHandle (hObject=0x204) returned 1 [0078.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0078.408] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.408] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.409] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.409] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.409] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.699] GetLastError () returned 0x0 [0078.699] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x251f, lpOverlapped=0x0) returned 1 [0078.743] WriteFile (in: hFile=0x208, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0078.744] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.745] WriteFile (in: hFile=0x208, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0078.745] SetEndOfFile (hFile=0x208) returned 1 [0078.745] CloseHandle (hObject=0x208) returned 1 [0078.753] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.753] SetEndOfFile (hFile=0x204) returned 1 [0078.754] CloseHandle (hObject=0x204) returned 1 [0078.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.754] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0078.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.755] lstrlenW (lpString=".doc") returned 4 [0078.755] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString=".docx") returned 5 [0078.755] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0078.755] lstrlenW (lpString=".pdf") returned 4 [0078.755] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString=".xls") returned 4 [0078.755] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString=".xlsx") returned 5 [0078.755] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0078.755] lstrlenW (lpString=".ppt") returned 4 [0078.755] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.755] lstrlenW (lpString=".zip") returned 4 [0078.755] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.755] lstrlenW (lpString=".rar") returned 4 [0078.755] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString=".bz2") returned 4 [0078.755] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.755] lstrlenW (lpString=".7z") returned 3 [0078.755] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.755] lstrlenW (lpString=".dbf") returned 4 [0078.755] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.756] lstrlenW (lpString=".1cd") returned 4 [0078.756] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.756] lstrlenW (lpString=".jpg") returned 4 [0078.756] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.756] lstrlenW (lpString=".doc") returned 4 [0078.756] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString=".docx") returned 5 [0078.756] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0078.756] lstrlenW (lpString=".pdf") returned 4 [0078.756] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString=".xls") returned 4 [0078.756] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString=".xlsx") returned 5 [0078.756] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0078.756] lstrlenW (lpString=".ppt") returned 4 [0078.756] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.756] lstrlenW (lpString=".zip") returned 4 [0078.757] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.757] lstrlenW (lpString=".rar") returned 4 [0078.757] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.757] lstrlenW (lpString=".bz2") returned 4 [0078.757] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.757] lstrlenW (lpString=".7z") returned 3 [0078.757] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.757] lstrlenW (lpString=".dbf") returned 4 [0078.757] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.757] lstrlenW (lpString=".1cd") returned 4 [0078.757] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0078.757] lstrlenW (lpString=".jpg") returned 4 [0078.757] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.757] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.757] lstrlenW (lpString="WordMUI.XML") returned 11 [0078.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0079.228] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1800) returned 1 [0079.228] CloseHandle (hObject=0x1c8) returned 1 [0079.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0079.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0079.229] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.229] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0079.613] GetLastError () returned 0x0 [0079.613] ReadFile (in: hFile=0x1c8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x708, lpOverlapped=0x0) returned 1 [0079.777] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x710, lpOverlapped=0x0) returned 1 [0079.779] ReadFile (in: hFile=0x1c8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0079.779] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0079.779] SetEndOfFile (hFile=0x214) returned 1 [0079.779] CloseHandle (hObject=0x214) returned 1 [0079.780] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.780] SetEndOfFile (hFile=0x1c8) returned 1 [0079.781] CloseHandle (hObject=0x1c8) returned 1 [0079.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.782] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0079.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.782] lstrlenW (lpString=".doc") returned 4 [0079.782] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.782] lstrlenW (lpString=".docx") returned 5 [0079.782] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0079.782] lstrlenW (lpString=".pdf") returned 4 [0079.782] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString=".xls") returned 4 [0079.783] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString=".xlsx") returned 5 [0079.783] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0079.783] lstrlenW (lpString=".ppt") returned 4 [0079.783] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.783] lstrlenW (lpString=".zip") returned 4 [0079.783] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.783] lstrlenW (lpString=".rar") returned 4 [0079.783] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString=".bz2") returned 4 [0079.783] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString=".7z") returned 3 [0079.783] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.783] lstrlenW (lpString=".dbf") returned 4 [0079.783] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.783] lstrlenW (lpString=".1cd") returned 4 [0079.783] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.783] lstrlenW (lpString=".jpg") returned 4 [0079.783] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.784] lstrlenW (lpString=".doc") returned 4 [0079.784] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString=".docx") returned 5 [0079.784] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0079.784] lstrlenW (lpString=".pdf") returned 4 [0079.784] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString=".xls") returned 4 [0079.784] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString=".xlsx") returned 5 [0079.784] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0079.784] lstrlenW (lpString=".ppt") returned 4 [0079.784] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.784] lstrlenW (lpString=".zip") returned 4 [0079.784] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.784] lstrlenW (lpString=".rar") returned 4 [0079.784] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString=".bz2") returned 4 [0079.784] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString=".7z") returned 3 [0079.784] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.784] lstrlenW (lpString=".dbf") returned 4 [0079.784] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.784] lstrlenW (lpString=".1cd") returned 4 [0079.784] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0079.785] lstrlenW (lpString=".jpg") returned 4 [0079.785] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.990] lstrcmpiW (lpString1=".TXT", lpString2=".mnbzr") returned 1 [0079.990] lstrlenW (lpString="METCONV.TXT") returned 11 [0079.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.993] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1183416) returned 1 [0079.993] CloseHandle (hObject=0x204) returned 1 [0079.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0079.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.993] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.993] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0079.994] GetLastError () returned 0x0 [0079.994] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0080.031] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0080.438] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0080.451] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0080.724] ReadFile (in: hFile=0x204, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0080.725] SetEndOfFile (hFile=0x1d4) returned 1 [0080.725] CloseHandle (hObject=0x1d4) returned 1 [0080.741] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.741] SetEndOfFile (hFile=0x204) returned 1 [0080.744] CloseHandle (hObject=0x204) returned 1 [0080.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0080.744] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0080.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.745] lstrlenW (lpString=".doc") returned 4 [0080.745] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0080.745] lstrlenW (lpString=".docx") returned 5 [0080.745] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0080.745] lstrlenW (lpString=".pdf") returned 4 [0080.745] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0080.745] lstrlenW (lpString=".xls") returned 4 [0080.745] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0080.745] lstrlenW (lpString=".xlsx") returned 5 [0080.745] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0080.745] lstrlenW (lpString=".ppt") returned 4 [0080.745] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0080.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.745] lstrlenW (lpString=".zip") returned 4 [0080.745] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0080.745] lstrlenW (lpString=".rar") returned 4 [0080.745] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0080.745] lstrlenW (lpString=".bz2") returned 4 [0080.745] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0080.745] lstrlenW (lpString=".7z") returned 3 [0080.745] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0080.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.745] lstrlenW (lpString=".dbf") returned 4 [0080.745] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.746] lstrlenW (lpString=".1cd") returned 4 [0080.746] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.746] lstrlenW (lpString=".jpg") returned 4 [0080.746] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.746] lstrlenW (lpString=".doc") returned 4 [0080.746] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString=".docx") returned 5 [0080.746] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0080.746] lstrlenW (lpString=".pdf") returned 4 [0080.746] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString=".xls") returned 4 [0080.746] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0080.746] lstrlenW (lpString=".xlsx") returned 5 [0080.746] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0080.746] lstrlenW (lpString=".ppt") returned 4 [0080.746] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.746] lstrlenW (lpString=".zip") returned 4 [0080.746] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0080.746] lstrlenW (lpString=".rar") returned 4 [0080.746] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0080.746] lstrlenW (lpString=".bz2") returned 4 [0080.747] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0080.747] lstrlenW (lpString=".7z") returned 3 [0080.747] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0080.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.747] lstrlenW (lpString=".dbf") returned 4 [0080.747] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0080.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.747] lstrlenW (lpString=".1cd") returned 4 [0080.747] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0080.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0080.747] lstrlenW (lpString=".jpg") returned 4 [0080.747] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0080.747] lstrcmpiW (lpString1=".emf", lpString2=".mnbzr") returned -1 [0080.747] lstrlenW (lpString="Graph.emf") returned 9 [0080.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0081.944] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=116724) returned 1 [0081.944] CloseHandle (hObject=0x204) returned 1 [0081.944] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0081.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.945] lstrlenW (lpString=".doc") returned 4 [0081.945] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0081.945] lstrlenW (lpString=".docx") returned 5 [0081.945] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0081.945] lstrlenW (lpString=".pdf") returned 4 [0081.945] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0081.945] lstrlenW (lpString=".xls") returned 4 [0081.945] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0081.945] lstrlenW (lpString=".xlsx") returned 5 [0081.945] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0081.945] lstrlenW (lpString=".ppt") returned 4 [0081.945] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0081.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.945] lstrlenW (lpString=".zip") returned 4 [0081.945] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0081.945] lstrlenW (lpString=".rar") returned 4 [0081.946] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0081.946] lstrlenW (lpString=".bz2") returned 4 [0081.946] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0081.946] lstrlenW (lpString=".7z") returned 3 [0081.946] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0081.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.946] lstrlenW (lpString=".dbf") returned 4 [0081.946] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0081.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.946] lstrlenW (lpString=".1cd") returned 4 [0081.946] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0081.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.946] lstrlenW (lpString=".jpg") returned 4 [0081.946] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0081.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.946] lstrlenW (lpString=".doc") returned 4 [0081.946] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0081.946] lstrlenW (lpString=".docx") returned 5 [0081.946] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0081.946] lstrlenW (lpString=".pdf") returned 4 [0081.946] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0081.946] lstrlenW (lpString=".xls") returned 4 [0081.946] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0081.946] lstrlenW (lpString=".xlsx") returned 5 [0081.946] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0081.947] lstrlenW (lpString=".ppt") returned 4 [0081.947] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0081.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.947] lstrlenW (lpString=".zip") returned 4 [0081.947] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0081.947] lstrlenW (lpString=".rar") returned 4 [0081.947] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0081.947] lstrlenW (lpString=".bz2") returned 4 [0081.947] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0081.947] lstrlenW (lpString=".7z") returned 3 [0081.947] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0081.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.947] lstrlenW (lpString=".dbf") returned 4 [0081.947] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0081.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.947] lstrlenW (lpString=".1cd") returned 4 [0081.947] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0081.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0081.947] lstrlenW (lpString=".jpg") returned 4 [0081.947] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0081.947] lstrcmpiW (lpString1=".htm", lpString2=".mnbzr") returned -1 [0081.947] lstrlenW (lpString="Stars.htm") returned 9 [0081.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0081.948] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=230) returned 1 [0081.948] CloseHandle (hObject=0x204) returned 1 [0081.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm")) returned 0x20 [0081.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.948] lstrlenW (lpString=".doc") returned 4 [0081.949] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.949] lstrlenW (lpString=".docx") returned 5 [0081.949] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.949] lstrlenW (lpString=".pdf") returned 4 [0081.949] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.949] lstrlenW (lpString=".xls") returned 4 [0081.949] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.949] lstrlenW (lpString=".xlsx") returned 5 [0081.949] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.949] lstrlenW (lpString=".ppt") returned 4 [0081.949] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.949] lstrlenW (lpString=".zip") returned 4 [0081.949] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.949] lstrlenW (lpString=".rar") returned 4 [0081.949] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.949] lstrlenW (lpString=".bz2") returned 4 [0081.949] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.949] lstrlenW (lpString=".7z") returned 3 [0081.949] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.949] lstrlenW (lpString=".dbf") returned 4 [0081.949] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.949] lstrlenW (lpString=".1cd") returned 4 [0081.949] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.949] lstrlenW (lpString=".jpg") returned 4 [0081.950] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.950] lstrlenW (lpString=".doc") returned 4 [0081.950] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.950] lstrlenW (lpString=".docx") returned 5 [0081.950] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.950] lstrlenW (lpString=".pdf") returned 4 [0081.950] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString=".xls") returned 4 [0081.950] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString=".xlsx") returned 5 [0081.950] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.950] lstrlenW (lpString=".ppt") returned 4 [0081.950] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.950] lstrlenW (lpString=".zip") returned 4 [0081.950] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString=".rar") returned 4 [0081.950] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.950] lstrlenW (lpString=".bz2") returned 4 [0081.950] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.950] lstrlenW (lpString=".7z") returned 3 [0081.950] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.950] lstrlenW (lpString=".dbf") returned 4 [0081.950] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.950] lstrlenW (lpString=".1cd") returned 4 [0081.951] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 67 [0081.951] lstrlenW (lpString=".jpg") returned 4 [0081.951] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.951] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0081.951] lstrlenW (lpString="Stars.jpg") returned 9 [0081.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.406] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=7505) returned 1 [0082.407] CloseHandle (hObject=0x204) returned 1 [0082.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg")) returned 0x20 [0082.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.407] lstrlenW (lpString=".doc") returned 4 [0082.407] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0082.407] lstrlenW (lpString=".docx") returned 5 [0082.407] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0082.407] lstrlenW (lpString=".pdf") returned 4 [0082.407] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0082.407] lstrlenW (lpString=".xls") returned 4 [0082.407] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0082.407] lstrlenW (lpString=".xlsx") returned 5 [0082.407] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0082.407] lstrlenW (lpString=".ppt") returned 4 [0082.407] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0082.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString=".zip") returned 4 [0082.408] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0082.408] lstrlenW (lpString=".rar") returned 4 [0082.408] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0082.408] lstrlenW (lpString=".bz2") returned 4 [0082.408] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0082.408] lstrlenW (lpString=".7z") returned 3 [0082.408] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0082.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString=".dbf") returned 4 [0082.408] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0082.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString=".1cd") returned 4 [0082.408] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0082.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString=".jpg") returned 4 [0082.408] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0082.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.408] lstrlenW (lpString=".doc") returned 4 [0082.408] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0082.408] lstrlenW (lpString=".docx") returned 5 [0082.408] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0082.408] lstrlenW (lpString=".pdf") returned 4 [0082.408] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0082.408] lstrlenW (lpString=".xls") returned 4 [0082.408] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0082.409] lstrlenW (lpString=".xlsx") returned 5 [0082.409] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0082.409] lstrlenW (lpString=".ppt") returned 4 [0082.409] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0082.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.409] lstrlenW (lpString=".zip") returned 4 [0082.409] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0082.409] lstrlenW (lpString=".rar") returned 4 [0082.409] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0082.409] lstrlenW (lpString=".bz2") returned 4 [0082.409] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0082.409] lstrlenW (lpString=".7z") returned 3 [0082.409] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0082.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.409] lstrlenW (lpString=".dbf") returned 4 [0082.409] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0082.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.409] lstrlenW (lpString=".1cd") returned 4 [0082.409] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0082.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 67 [0082.409] lstrlenW (lpString=".jpg") returned 4 [0082.409] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0082.409] lstrcmpiW (lpString1=".gif", lpString2=".mnbzr") returned -1 [0082.409] lstrlenW (lpString="Stucco.gif") returned 10 [0082.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.410] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1864) returned 1 [0082.410] CloseHandle (hObject=0x204) returned 1 [0082.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif")) returned 0x20 [0082.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.410] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.410] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.410] lstrlenW (lpString=".doc") returned 4 [0082.410] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0082.410] lstrlenW (lpString=".docx") returned 5 [0082.410] lstrcmpiW (lpString1=".docx", lpString2="o.gif") returned -1 [0082.411] lstrlenW (lpString=".pdf") returned 4 [0082.411] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString=".xls") returned 4 [0082.411] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString=".xlsx") returned 5 [0082.411] lstrcmpiW (lpString1=".xlsx", lpString2="o.gif") returned -1 [0082.411] lstrlenW (lpString=".ppt") returned 4 [0082.411] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.411] lstrlenW (lpString=".zip") returned 4 [0082.411] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString=".rar") returned 4 [0082.411] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString=".bz2") returned 4 [0082.411] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0082.411] lstrlenW (lpString=".7z") returned 3 [0082.411] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.411] lstrlenW (lpString=".dbf") returned 4 [0082.411] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.411] lstrlenW (lpString=".1cd") returned 4 [0082.411] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.411] lstrlenW (lpString=".jpg") returned 4 [0082.411] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.412] lstrlenW (lpString=".doc") returned 4 [0082.412] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0082.412] lstrlenW (lpString=".docx") returned 5 [0082.412] lstrcmpiW (lpString1=".docx", lpString2="o.gif") returned -1 [0082.412] lstrlenW (lpString=".pdf") returned 4 [0082.412] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0082.412] lstrlenW (lpString=".xls") returned 4 [0082.412] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0082.412] lstrlenW (lpString=".xlsx") returned 5 [0082.412] lstrcmpiW (lpString1=".xlsx", lpString2="o.gif") returned -1 [0082.412] lstrlenW (lpString=".ppt") returned 4 [0082.412] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0082.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.412] lstrlenW (lpString=".zip") returned 4 [0082.412] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0082.412] lstrlenW (lpString=".rar") returned 4 [0082.412] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0082.412] lstrlenW (lpString=".bz2") returned 4 [0082.412] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0082.412] lstrlenW (lpString=".7z") returned 3 [0082.412] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0082.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.412] lstrlenW (lpString=".dbf") returned 4 [0082.412] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0082.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.412] lstrlenW (lpString=".1cd") returned 4 [0082.412] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0082.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 68 [0082.412] lstrlenW (lpString=".jpg") returned 4 [0082.413] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0082.413] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0082.413] lstrlenW (lpString="Tanspecks.jpg") returned 13 [0082.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.414] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=3650) returned 1 [0082.414] CloseHandle (hObject=0x204) returned 1 [0082.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg")) returned 0x20 [0082.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.415] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.415] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.415] lstrlenW (lpString=".doc") returned 4 [0082.415] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0082.415] lstrlenW (lpString=".docx") returned 5 [0082.415] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0082.415] lstrlenW (lpString=".pdf") returned 4 [0082.415] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0082.415] lstrlenW (lpString=".xls") returned 4 [0082.415] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0082.415] lstrlenW (lpString=".xlsx") returned 5 [0082.415] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0082.415] lstrlenW (lpString=".ppt") returned 4 [0082.415] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0082.415] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.415] lstrlenW (lpString=".zip") returned 4 [0082.415] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0082.415] lstrlenW (lpString=".rar") returned 4 [0082.415] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0082.415] lstrlenW (lpString=".bz2") returned 4 [0082.415] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0082.415] lstrlenW (lpString=".7z") returned 3 [0082.415] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0082.415] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString=".dbf") returned 4 [0082.416] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0082.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString=".1cd") returned 4 [0082.416] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0082.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString=".jpg") returned 4 [0082.416] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0082.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString=".doc") returned 4 [0082.416] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0082.416] lstrlenW (lpString=".docx") returned 5 [0082.416] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0082.416] lstrlenW (lpString=".pdf") returned 4 [0082.416] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0082.416] lstrlenW (lpString=".xls") returned 4 [0082.416] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0082.416] lstrlenW (lpString=".xlsx") returned 5 [0082.416] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0082.416] lstrlenW (lpString=".ppt") returned 4 [0082.416] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0082.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.416] lstrlenW (lpString=".zip") returned 4 [0082.416] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0082.417] lstrlenW (lpString=".rar") returned 4 [0082.417] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0082.417] lstrlenW (lpString=".bz2") returned 4 [0082.417] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0082.417] lstrlenW (lpString=".7z") returned 3 [0082.417] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0082.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.417] lstrlenW (lpString=".dbf") returned 4 [0082.417] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0082.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.417] lstrlenW (lpString=".1cd") returned 4 [0082.417] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0082.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 71 [0082.417] lstrlenW (lpString=".jpg") returned 4 [0082.417] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0082.417] lstrcmpiW (lpString1=".gif", lpString2=".mnbzr") returned -1 [0082.418] lstrlenW (lpString="Tiki.gif") returned 8 [0082.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.418] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=4638) returned 1 [0082.418] CloseHandle (hObject=0x204) returned 1 [0082.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif")) returned 0x20 [0082.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.418] lstrlenW (lpString=".doc") returned 4 [0082.418] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0082.419] lstrlenW (lpString=".docx") returned 5 [0082.419] lstrcmpiW (lpString1=".docx", lpString2="i.gif") returned -1 [0082.419] lstrlenW (lpString=".pdf") returned 4 [0082.419] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0082.419] lstrlenW (lpString=".xls") returned 4 [0082.419] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0082.419] lstrlenW (lpString=".xlsx") returned 5 [0082.419] lstrcmpiW (lpString1=".xlsx", lpString2="i.gif") returned -1 [0082.419] lstrlenW (lpString=".ppt") returned 4 [0082.419] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0082.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.419] lstrlenW (lpString=".zip") returned 4 [0082.419] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0082.419] lstrlenW (lpString=".rar") returned 4 [0082.419] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0082.419] lstrlenW (lpString=".bz2") returned 4 [0082.419] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0082.419] lstrlenW (lpString=".7z") returned 3 [0082.419] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0082.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.419] lstrlenW (lpString=".dbf") returned 4 [0082.419] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0082.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.419] lstrlenW (lpString=".1cd") returned 4 [0082.419] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0082.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.419] lstrlenW (lpString=".jpg") returned 4 [0082.419] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.420] lstrlenW (lpString=".doc") returned 4 [0082.420] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0082.420] lstrlenW (lpString=".docx") returned 5 [0082.420] lstrcmpiW (lpString1=".docx", lpString2="i.gif") returned -1 [0082.420] lstrlenW (lpString=".pdf") returned 4 [0082.420] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString=".xls") returned 4 [0082.420] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString=".xlsx") returned 5 [0082.420] lstrcmpiW (lpString1=".xlsx", lpString2="i.gif") returned -1 [0082.420] lstrlenW (lpString=".ppt") returned 4 [0082.420] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.420] lstrlenW (lpString=".zip") returned 4 [0082.420] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString=".rar") returned 4 [0082.420] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0082.420] lstrlenW (lpString=".bz2") returned 4 [0082.420] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0082.420] lstrlenW (lpString=".7z") returned 3 [0082.420] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.420] lstrlenW (lpString=".dbf") returned 4 [0082.420] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.420] lstrlenW (lpString=".1cd") returned 4 [0082.420] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0082.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 66 [0082.421] lstrlenW (lpString=".jpg") returned 4 [0082.421] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0082.421] lstrcmpiW (lpString1=".emf", lpString2=".mnbzr") returned -1 [0082.421] lstrlenW (lpString="To_Do_List.emf") returned 14 [0082.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.421] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=26720) returned 1 [0082.421] CloseHandle (hObject=0x204) returned 1 [0082.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf")) returned 0x20 [0082.421] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.421] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 72 [0082.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 72 [0082.422] lstrlenW (lpString=".doc") returned 4 [0082.422] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0082.422] lstrlenW (lpString=".docx") returned 5 [0082.422] lstrcmpiW (lpString1=".docx", lpString2="t.emf") returned -1 [0082.422] lstrlenW (lpString=".pdf") returned 4 [0082.422] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0082.422] lstrlenW (lpString=".xls") returned 4 [0082.422] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0082.422] lstrlenW (lpString=".xlsx") returned 5 [0082.422] lstrcmpiW (lpString1=".xlsx", lpString2="t.emf") returned -1 [0082.422] lstrlenW (lpString=".ppt") returned 4 [0082.422] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0082.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 72 [0082.422] lstrlenW (lpString=".zip") returned 4 [0082.422] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0082.422] lstrlenW (lpString=".rar") returned 4 [0082.422] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0082.423] lstrlenW (lpString=".bz2") returned 4 [0082.423] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0082.423] lstrlenW (lpString=".7z") returned 3 [0082.423] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0082.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 72 [0082.423] lstrlenW (lpString=".dbf") returned 4 [0082.423] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0083.933] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.934] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.170] GetLastError () returned 0x0 [0084.170] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x621, lpOverlapped=0x0) returned 1 [0084.172] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x630, lpOverlapped=0x0) returned 1 [0084.174] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.174] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.174] SetEndOfFile (hFile=0x1ec) returned 1 [0084.174] CloseHandle (hObject=0x1ec) returned 1 [0084.174] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.174] SetEndOfFile (hFile=0x1e8) returned 1 [0084.175] CloseHandle (hObject=0x1e8) returned 1 [0084.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.176] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0084.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.176] lstrlenW (lpString=".doc") returned 4 [0084.176] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.177] lstrlenW (lpString=".docx") returned 5 [0084.177] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.177] lstrlenW (lpString=".pdf") returned 4 [0084.177] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.177] lstrlenW (lpString=".xls") returned 4 [0084.177] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.177] lstrlenW (lpString=".xlsx") returned 5 [0084.177] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.177] lstrlenW (lpString=".ppt") returned 4 [0084.177] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.177] lstrlenW (lpString=".zip") returned 4 [0084.177] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.177] lstrlenW (lpString=".rar") returned 4 [0084.177] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.177] lstrlenW (lpString=".bz2") returned 4 [0084.177] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.177] lstrlenW (lpString=".7z") returned 3 [0084.177] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.177] lstrlenW (lpString=".dbf") returned 4 [0084.177] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.177] lstrlenW (lpString=".1cd") returned 4 [0084.177] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString=".jpg") returned 4 [0084.178] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString=".doc") returned 4 [0084.178] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.178] lstrlenW (lpString=".docx") returned 5 [0084.178] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.178] lstrlenW (lpString=".pdf") returned 4 [0084.178] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString=".xls") returned 4 [0084.178] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString=".xlsx") returned 5 [0084.178] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.178] lstrlenW (lpString=".ppt") returned 4 [0084.178] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString=".zip") returned 4 [0084.178] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString=".rar") returned 4 [0084.178] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.178] lstrlenW (lpString=".bz2") returned 4 [0084.178] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.178] lstrlenW (lpString=".7z") returned 3 [0084.178] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString=".dbf") returned 4 [0084.178] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.178] lstrlenW (lpString=".1cd") returned 4 [0084.178] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0084.179] lstrlenW (lpString=".jpg") returned 4 [0084.179] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.179] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0084.179] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0084.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.179] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=29925) returned 1 [0084.179] CloseHandle (hObject=0x1e8) returned 1 [0084.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0084.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.180] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.180] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.180] GetLastError () returned 0x0 [0084.180] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x74e5, lpOverlapped=0x0) returned 1 [0084.182] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0084.184] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.184] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0084.185] SetEndOfFile (hFile=0x1ec) returned 1 [0084.185] CloseHandle (hObject=0x1ec) returned 1 [0084.185] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.185] SetEndOfFile (hFile=0x1e8) returned 1 [0084.186] CloseHandle (hObject=0x1e8) returned 1 [0084.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0084.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.187] lstrlenW (lpString=".doc") returned 4 [0084.187] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.187] lstrlenW (lpString=".docx") returned 5 [0084.187] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.187] lstrlenW (lpString=".pdf") returned 4 [0084.187] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.187] lstrlenW (lpString=".xls") returned 4 [0084.187] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.187] lstrlenW (lpString=".xlsx") returned 5 [0084.187] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.187] lstrlenW (lpString=".ppt") returned 4 [0084.187] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString=".zip") returned 4 [0084.188] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.188] lstrlenW (lpString=".rar") returned 4 [0084.188] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.188] lstrlenW (lpString=".bz2") returned 4 [0084.188] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString=".7z") returned 3 [0084.188] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString=".dbf") returned 4 [0084.188] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString=".1cd") returned 4 [0084.188] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString=".jpg") returned 4 [0084.188] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.188] lstrlenW (lpString=".doc") returned 4 [0084.188] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString=".docx") returned 5 [0084.188] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.188] lstrlenW (lpString=".pdf") returned 4 [0084.188] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.188] lstrlenW (lpString=".xls") returned 4 [0084.189] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.189] lstrlenW (lpString=".xlsx") returned 5 [0084.189] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.189] lstrlenW (lpString=".ppt") returned 4 [0084.189] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.189] lstrlenW (lpString=".zip") returned 4 [0084.189] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.189] lstrlenW (lpString=".rar") returned 4 [0084.189] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.189] lstrlenW (lpString=".bz2") returned 4 [0084.189] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.189] lstrlenW (lpString=".7z") returned 3 [0084.189] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.189] lstrlenW (lpString=".dbf") returned 4 [0084.189] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.189] lstrlenW (lpString=".1cd") returned 4 [0084.189] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0084.189] lstrlenW (lpString=".jpg") returned 4 [0084.189] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.189] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0084.189] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0084.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.190] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1363) returned 1 [0084.190] CloseHandle (hObject=0x1e8) returned 1 [0084.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0084.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.190] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.190] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.194] GetLastError () returned 0x0 [0084.194] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x553, lpOverlapped=0x0) returned 1 [0084.196] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x560, lpOverlapped=0x0) returned 1 [0084.197] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.197] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.198] SetEndOfFile (hFile=0x1ec) returned 1 [0084.198] CloseHandle (hObject=0x1ec) returned 1 [0084.198] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.198] SetEndOfFile (hFile=0x1e8) returned 1 [0084.199] CloseHandle (hObject=0x1e8) returned 1 [0084.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.199] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0084.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.199] lstrlenW (lpString=".doc") returned 4 [0084.200] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.200] lstrlenW (lpString=".docx") returned 5 [0084.200] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.200] lstrlenW (lpString=".pdf") returned 4 [0084.200] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.200] lstrlenW (lpString=".xls") returned 4 [0084.200] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.200] lstrlenW (lpString=".xlsx") returned 5 [0084.200] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.200] lstrlenW (lpString=".ppt") returned 4 [0084.200] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.200] lstrlenW (lpString=".zip") returned 4 [0084.200] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.200] lstrlenW (lpString=".rar") returned 4 [0084.200] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.200] lstrlenW (lpString=".bz2") returned 4 [0084.200] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.200] lstrlenW (lpString=".7z") returned 3 [0084.200] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.200] lstrlenW (lpString=".dbf") returned 4 [0084.200] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.200] lstrlenW (lpString=".1cd") returned 4 [0084.200] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.201] lstrlenW (lpString=".jpg") returned 4 [0084.201] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.201] lstrlenW (lpString=".doc") returned 4 [0084.201] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.201] lstrlenW (lpString=".docx") returned 5 [0084.201] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.201] lstrlenW (lpString=".pdf") returned 4 [0084.201] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString=".xls") returned 4 [0084.201] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString=".xlsx") returned 5 [0084.201] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.201] lstrlenW (lpString=".ppt") returned 4 [0084.201] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.201] lstrlenW (lpString=".zip") returned 4 [0084.201] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString=".rar") returned 4 [0084.201] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.201] lstrlenW (lpString=".bz2") returned 4 [0084.201] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.201] lstrlenW (lpString=".7z") returned 3 [0084.201] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.201] lstrlenW (lpString=".dbf") returned 4 [0084.201] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.202] lstrlenW (lpString=".1cd") returned 4 [0084.202] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0084.202] lstrlenW (lpString=".jpg") returned 4 [0084.202] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.202] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0084.202] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0084.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.202] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=20371) returned 1 [0084.202] CloseHandle (hObject=0x1e8) returned 1 [0084.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0084.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0084.203] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.203] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.203] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.203] GetLastError () returned 0x0 [0084.203] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4f93, lpOverlapped=0x0) returned 1 [0085.228] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0085.229] ReadFile (in: hFile=0x1e8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.229] WriteFile (in: hFile=0x1ec, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.229] SetEndOfFile (hFile=0x1ec) returned 1 [0085.230] CloseHandle (hObject=0x1ec) returned 1 [0085.230] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.230] SetEndOfFile (hFile=0x1e8) returned 1 [0085.231] CloseHandle (hObject=0x1e8) returned 1 [0085.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.232] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0085.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.232] lstrlenW (lpString=".doc") returned 4 [0085.232] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.232] lstrlenW (lpString=".docx") returned 5 [0085.232] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.232] lstrlenW (lpString=".pdf") returned 4 [0085.232] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.232] lstrlenW (lpString=".xls") returned 4 [0085.233] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.233] lstrlenW (lpString=".xlsx") returned 5 [0085.233] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.233] lstrlenW (lpString=".ppt") returned 4 [0085.233] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString=".zip") returned 4 [0085.233] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.233] lstrlenW (lpString=".rar") returned 4 [0085.233] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.233] lstrlenW (lpString=".bz2") returned 4 [0085.233] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.233] lstrlenW (lpString=".7z") returned 3 [0085.233] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString=".dbf") returned 4 [0085.233] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString=".1cd") returned 4 [0085.233] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString=".jpg") returned 4 [0085.233] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.233] lstrlenW (lpString=".doc") returned 4 [0085.234] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.234] lstrlenW (lpString=".docx") returned 5 [0085.234] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.234] lstrlenW (lpString=".pdf") returned 4 [0085.234] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.234] lstrlenW (lpString=".xls") returned 4 [0085.234] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.234] lstrlenW (lpString=".xlsx") returned 5 [0085.234] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.234] lstrlenW (lpString=".ppt") returned 4 [0085.234] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.234] lstrlenW (lpString=".zip") returned 4 [0085.234] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.234] lstrlenW (lpString=".rar") returned 4 [0085.234] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.234] lstrlenW (lpString=".bz2") returned 4 [0085.234] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.234] lstrlenW (lpString=".7z") returned 3 [0085.234] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.234] lstrlenW (lpString=".dbf") returned 4 [0085.234] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.234] lstrlenW (lpString=".1cd") returned 4 [0085.234] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0085.234] lstrlenW (lpString=".jpg") returned 4 [0085.235] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.235] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.235] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.361] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1347) returned 1 [0085.361] CloseHandle (hObject=0x1ec) returned 1 [0085.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0085.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.361] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.362] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0085.362] GetLastError () returned 0x0 [0085.362] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x543, lpOverlapped=0x0) returned 1 [0085.364] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x550, lpOverlapped=0x0) returned 1 [0085.365] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.365] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.365] SetEndOfFile (hFile=0x1f0) returned 1 [0085.365] CloseHandle (hObject=0x1f0) returned 1 [0085.366] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.366] SetEndOfFile (hFile=0x1ec) returned 1 [0085.367] CloseHandle (hObject=0x1ec) returned 1 [0085.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.367] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0085.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.367] lstrlenW (lpString=".doc") returned 4 [0085.367] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.367] lstrlenW (lpString=".docx") returned 5 [0085.367] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.368] lstrlenW (lpString=".pdf") returned 4 [0085.368] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString=".xls") returned 4 [0085.368] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString=".xlsx") returned 5 [0085.368] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.368] lstrlenW (lpString=".ppt") returned 4 [0085.368] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.368] lstrlenW (lpString=".zip") returned 4 [0085.368] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString=".rar") returned 4 [0085.368] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString=".bz2") returned 4 [0085.368] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.368] lstrlenW (lpString=".7z") returned 3 [0085.368] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.368] lstrlenW (lpString=".dbf") returned 4 [0085.368] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.368] lstrlenW (lpString=".1cd") returned 4 [0085.368] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.368] lstrlenW (lpString=".jpg") returned 4 [0085.368] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.369] lstrlenW (lpString=".doc") returned 4 [0085.369] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.369] lstrlenW (lpString=".docx") returned 5 [0085.369] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.369] lstrlenW (lpString=".pdf") returned 4 [0085.369] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.369] lstrlenW (lpString=".xls") returned 4 [0085.369] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.369] lstrlenW (lpString=".xlsx") returned 5 [0085.369] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.369] lstrlenW (lpString=".ppt") returned 4 [0085.369] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.369] lstrlenW (lpString=".zip") returned 4 [0085.369] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.369] lstrlenW (lpString=".rar") returned 4 [0085.369] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.369] lstrlenW (lpString=".bz2") returned 4 [0085.369] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.369] lstrlenW (lpString=".7z") returned 3 [0085.369] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.369] lstrlenW (lpString=".dbf") returned 4 [0085.369] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.369] lstrlenW (lpString=".1cd") returned 4 [0085.369] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0085.370] lstrlenW (lpString=".jpg") returned 4 [0085.370] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.370] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.370] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.370] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1347) returned 1 [0085.370] CloseHandle (hObject=0x1ec) returned 1 [0085.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0085.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.371] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.371] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0085.373] GetLastError () returned 0x0 [0085.373] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x543, lpOverlapped=0x0) returned 1 [0085.380] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x550, lpOverlapped=0x0) returned 1 [0085.382] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.382] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.382] SetEndOfFile (hFile=0x1f0) returned 1 [0085.382] CloseHandle (hObject=0x1f0) returned 1 [0085.382] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.382] SetEndOfFile (hFile=0x1ec) returned 1 [0085.383] CloseHandle (hObject=0x1ec) returned 1 [0085.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.384] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0085.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.384] lstrlenW (lpString=".doc") returned 4 [0085.384] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.384] lstrlenW (lpString=".docx") returned 5 [0085.384] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.384] lstrlenW (lpString=".pdf") returned 4 [0085.384] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.384] lstrlenW (lpString=".xls") returned 4 [0085.384] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.384] lstrlenW (lpString=".xlsx") returned 5 [0085.384] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.384] lstrlenW (lpString=".ppt") returned 4 [0085.384] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.384] lstrlenW (lpString=".zip") returned 4 [0085.384] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.384] lstrlenW (lpString=".rar") returned 4 [0085.385] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.385] lstrlenW (lpString=".bz2") returned 4 [0085.385] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.385] lstrlenW (lpString=".7z") returned 3 [0085.385] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.385] lstrlenW (lpString=".dbf") returned 4 [0085.385] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.385] lstrlenW (lpString=".1cd") returned 4 [0085.385] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.385] lstrlenW (lpString=".jpg") returned 4 [0085.385] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.385] lstrlenW (lpString=".doc") returned 4 [0085.385] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.385] lstrlenW (lpString=".docx") returned 5 [0085.385] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.385] lstrlenW (lpString=".pdf") returned 4 [0085.385] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.385] lstrlenW (lpString=".xls") returned 4 [0085.385] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.385] lstrlenW (lpString=".xlsx") returned 5 [0085.385] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.385] lstrlenW (lpString=".ppt") returned 4 [0085.386] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.386] lstrlenW (lpString=".zip") returned 4 [0085.386] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.386] lstrlenW (lpString=".rar") returned 4 [0085.386] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.387] lstrlenW (lpString=".bz2") returned 4 [0085.387] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.387] lstrlenW (lpString=".7z") returned 3 [0085.387] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.387] lstrlenW (lpString=".dbf") returned 4 [0085.387] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.387] lstrlenW (lpString=".1cd") returned 4 [0085.387] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0085.387] lstrlenW (lpString=".jpg") returned 4 [0085.387] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.387] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.387] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.388] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=26402) returned 1 [0085.388] CloseHandle (hObject=0x1ec) returned 1 [0085.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0085.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.388] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.388] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0085.389] GetLastError () returned 0x0 [0085.389] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x6722, lpOverlapped=0x0) returned 1 [0085.391] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x6730, lpOverlapped=0x0) returned 1 [0085.393] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.393] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.393] SetEndOfFile (hFile=0x1f0) returned 1 [0085.393] CloseHandle (hObject=0x1f0) returned 1 [0085.393] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.393] SetEndOfFile (hFile=0x1ec) returned 1 [0085.394] CloseHandle (hObject=0x1ec) returned 1 [0085.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.395] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0085.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.395] lstrlenW (lpString=".doc") returned 4 [0085.395] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.395] lstrlenW (lpString=".docx") returned 5 [0085.395] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.395] lstrlenW (lpString=".pdf") returned 4 [0085.395] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.395] lstrlenW (lpString=".xls") returned 4 [0085.395] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.395] lstrlenW (lpString=".xlsx") returned 5 [0085.396] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.396] lstrlenW (lpString=".ppt") returned 4 [0085.396] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString=".zip") returned 4 [0085.396] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.396] lstrlenW (lpString=".rar") returned 4 [0085.396] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.396] lstrlenW (lpString=".bz2") returned 4 [0085.396] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.396] lstrlenW (lpString=".7z") returned 3 [0085.396] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString=".dbf") returned 4 [0085.396] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString=".1cd") returned 4 [0085.396] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString=".jpg") returned 4 [0085.396] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.396] lstrlenW (lpString=".doc") returned 4 [0085.396] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.396] lstrlenW (lpString=".docx") returned 5 [0085.397] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.397] lstrlenW (lpString=".pdf") returned 4 [0085.397] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.397] lstrlenW (lpString=".xls") returned 4 [0085.397] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.397] lstrlenW (lpString=".xlsx") returned 5 [0085.397] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.397] lstrlenW (lpString=".ppt") returned 4 [0085.397] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.397] lstrlenW (lpString=".zip") returned 4 [0085.397] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.397] lstrlenW (lpString=".rar") returned 4 [0085.397] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.397] lstrlenW (lpString=".bz2") returned 4 [0085.397] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.397] lstrlenW (lpString=".7z") returned 3 [0085.397] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.397] lstrlenW (lpString=".dbf") returned 4 [0085.397] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.397] lstrlenW (lpString=".1cd") returned 4 [0085.397] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0085.397] lstrlenW (lpString=".jpg") returned 4 [0085.397] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.398] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.398] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.398] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1354) returned 1 [0085.398] CloseHandle (hObject=0x1ec) returned 1 [0085.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0085.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.399] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.399] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.399] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0085.622] GetLastError () returned 0x0 [0085.622] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x54a, lpOverlapped=0x0) returned 1 [0085.638] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x550, lpOverlapped=0x0) returned 1 [0085.639] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.639] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.639] SetEndOfFile (hFile=0x1d4) returned 1 [0085.639] CloseHandle (hObject=0x1d4) returned 1 [0085.639] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.640] SetEndOfFile (hFile=0x1ec) returned 1 [0085.641] CloseHandle (hObject=0x1ec) returned 1 [0085.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.641] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0085.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.641] lstrlenW (lpString=".doc") returned 4 [0085.641] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.641] lstrlenW (lpString=".docx") returned 5 [0085.641] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.641] lstrlenW (lpString=".pdf") returned 4 [0085.642] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString=".xls") returned 4 [0085.642] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString=".xlsx") returned 5 [0085.642] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.642] lstrlenW (lpString=".ppt") returned 4 [0085.642] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.642] lstrlenW (lpString=".zip") returned 4 [0085.642] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString=".rar") returned 4 [0085.642] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString=".bz2") returned 4 [0085.642] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.642] lstrlenW (lpString=".7z") returned 3 [0085.642] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.642] lstrlenW (lpString=".dbf") returned 4 [0085.642] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.642] lstrlenW (lpString=".1cd") returned 4 [0085.642] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.642] lstrlenW (lpString=".jpg") returned 4 [0085.642] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.643] lstrlenW (lpString=".doc") returned 4 [0085.643] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.643] lstrlenW (lpString=".docx") returned 5 [0085.643] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.643] lstrlenW (lpString=".pdf") returned 4 [0085.643] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.643] lstrlenW (lpString=".xls") returned 4 [0085.643] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.643] lstrlenW (lpString=".xlsx") returned 5 [0085.643] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.643] lstrlenW (lpString=".ppt") returned 4 [0085.643] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.643] lstrlenW (lpString=".zip") returned 4 [0085.643] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.643] lstrlenW (lpString=".rar") returned 4 [0085.643] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.643] lstrlenW (lpString=".bz2") returned 4 [0085.643] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.643] lstrlenW (lpString=".7z") returned 3 [0085.643] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.643] lstrlenW (lpString=".dbf") returned 4 [0085.643] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.643] lstrlenW (lpString=".1cd") returned 4 [0085.644] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0085.644] lstrlenW (lpString=".jpg") returned 4 [0085.644] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.644] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.644] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.644] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=2476) returned 1 [0085.645] CloseHandle (hObject=0x1ec) returned 1 [0085.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0085.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.645] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.645] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0085.648] GetLastError () returned 0x0 [0085.648] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x9ac, lpOverlapped=0x0) returned 1 [0085.650] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0085.653] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.653] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.653] SetEndOfFile (hFile=0x1f0) returned 1 [0085.653] CloseHandle (hObject=0x1f0) returned 1 [0085.653] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.653] SetEndOfFile (hFile=0x1ec) returned 1 [0085.654] CloseHandle (hObject=0x1ec) returned 1 [0085.654] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.655] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0085.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.655] lstrlenW (lpString=".doc") returned 4 [0085.655] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.655] lstrlenW (lpString=".docx") returned 5 [0085.655] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.655] lstrlenW (lpString=".pdf") returned 4 [0085.655] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.655] lstrlenW (lpString=".xls") returned 4 [0085.655] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.655] lstrlenW (lpString=".xlsx") returned 5 [0085.655] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.655] lstrlenW (lpString=".ppt") returned 4 [0085.655] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString=".zip") returned 4 [0085.656] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.656] lstrlenW (lpString=".rar") returned 4 [0085.656] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.656] lstrlenW (lpString=".bz2") returned 4 [0085.656] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.656] lstrlenW (lpString=".7z") returned 3 [0085.656] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString=".dbf") returned 4 [0085.656] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString=".1cd") returned 4 [0085.656] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString=".jpg") returned 4 [0085.656] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.656] lstrlenW (lpString=".doc") returned 4 [0085.656] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.656] lstrlenW (lpString=".docx") returned 5 [0085.656] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.656] lstrlenW (lpString=".pdf") returned 4 [0085.656] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.657] lstrlenW (lpString=".xls") returned 4 [0085.657] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.657] lstrlenW (lpString=".xlsx") returned 5 [0085.657] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.657] lstrlenW (lpString=".ppt") returned 4 [0085.657] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.657] lstrlenW (lpString=".zip") returned 4 [0085.657] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.657] lstrlenW (lpString=".rar") returned 4 [0085.657] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.657] lstrlenW (lpString=".bz2") returned 4 [0085.657] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.657] lstrlenW (lpString=".7z") returned 3 [0085.657] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.657] lstrlenW (lpString=".dbf") returned 4 [0085.657] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.657] lstrlenW (lpString=".1cd") returned 4 [0085.657] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0085.657] lstrlenW (lpString=".jpg") returned 4 [0085.657] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.658] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.658] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.658] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=19485) returned 1 [0085.658] CloseHandle (hObject=0x1ec) returned 1 [0085.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0085.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.659] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.659] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.659] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0085.659] GetLastError () returned 0x0 [0085.659] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0085.661] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0085.663] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.663] WriteFile (in: hFile=0x1f0, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.663] SetEndOfFile (hFile=0x1f0) returned 1 [0085.663] CloseHandle (hObject=0x1f0) returned 1 [0085.663] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.664] SetEndOfFile (hFile=0x1ec) returned 1 [0085.665] CloseHandle (hObject=0x1ec) returned 1 [0085.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.665] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0085.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.665] lstrlenW (lpString=".doc") returned 4 [0085.665] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.665] lstrlenW (lpString=".docx") returned 5 [0085.666] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.666] lstrlenW (lpString=".pdf") returned 4 [0085.666] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.666] lstrlenW (lpString=".xls") returned 4 [0085.666] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.666] lstrlenW (lpString=".xlsx") returned 5 [0085.666] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.666] lstrlenW (lpString=".ppt") returned 4 [0085.666] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.666] lstrlenW (lpString=".zip") returned 4 [0085.666] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.666] lstrlenW (lpString=".rar") returned 4 [0085.666] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.666] lstrlenW (lpString=".bz2") returned 4 [0085.666] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.666] lstrlenW (lpString=".7z") returned 3 [0085.666] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.666] lstrlenW (lpString=".dbf") returned 4 [0085.666] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.666] lstrlenW (lpString=".1cd") returned 4 [0085.666] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.666] lstrlenW (lpString=".jpg") returned 4 [0085.666] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.667] lstrlenW (lpString=".doc") returned 4 [0085.667] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.667] lstrlenW (lpString=".docx") returned 5 [0085.667] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.667] lstrlenW (lpString=".pdf") returned 4 [0085.667] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.667] lstrlenW (lpString=".xls") returned 4 [0085.667] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.667] lstrlenW (lpString=".xlsx") returned 5 [0085.667] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.667] lstrlenW (lpString=".ppt") returned 4 [0085.667] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.667] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.667] lstrlenW (lpString=".zip") returned 4 [0085.667] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.667] lstrlenW (lpString=".rar") returned 4 [0085.668] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.668] lstrlenW (lpString=".bz2") returned 4 [0085.668] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.668] lstrlenW (lpString=".7z") returned 3 [0085.668] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.668] lstrlenW (lpString=".dbf") returned 4 [0085.668] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.668] lstrlenW (lpString=".1cd") returned 4 [0085.668] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0085.668] lstrlenW (lpString=".jpg") returned 4 [0085.668] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.668] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.668] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.670] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1232) returned 1 [0085.670] CloseHandle (hObject=0x1ec) returned 1 [0085.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0085.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.670] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.670] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.875] GetLastError () returned 0x0 [0085.875] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4d0, lpOverlapped=0x0) returned 1 [0085.877] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0085.878] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.878] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.878] SetEndOfFile (hFile=0x204) returned 1 [0085.878] CloseHandle (hObject=0x204) returned 1 [0085.879] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.879] SetEndOfFile (hFile=0x1ec) returned 1 [0085.879] CloseHandle (hObject=0x1ec) returned 1 [0085.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.880] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0085.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.880] lstrlenW (lpString=".doc") returned 4 [0085.880] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.880] lstrlenW (lpString=".docx") returned 5 [0085.880] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.880] lstrlenW (lpString=".pdf") returned 4 [0085.880] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.880] lstrlenW (lpString=".xls") returned 4 [0085.880] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.880] lstrlenW (lpString=".xlsx") returned 5 [0085.880] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.880] lstrlenW (lpString=".ppt") returned 4 [0085.880] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.880] lstrlenW (lpString=".zip") returned 4 [0085.880] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.880] lstrlenW (lpString=".rar") returned 4 [0085.880] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.880] lstrlenW (lpString=".bz2") returned 4 [0085.880] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.881] lstrlenW (lpString=".7z") returned 3 [0085.881] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString=".dbf") returned 4 [0085.881] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString=".1cd") returned 4 [0085.881] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString=".jpg") returned 4 [0085.881] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString=".doc") returned 4 [0085.881] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.881] lstrlenW (lpString=".docx") returned 5 [0085.881] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.881] lstrlenW (lpString=".pdf") returned 4 [0085.881] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString=".xls") returned 4 [0085.881] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString=".xlsx") returned 5 [0085.881] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.881] lstrlenW (lpString=".ppt") returned 4 [0085.881] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.881] lstrlenW (lpString=".zip") returned 4 [0085.881] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString=".rar") returned 4 [0085.881] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.881] lstrlenW (lpString=".bz2") returned 4 [0085.881] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.881] lstrlenW (lpString=".7z") returned 3 [0085.882] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.882] lstrlenW (lpString=".dbf") returned 4 [0085.882] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.882] lstrlenW (lpString=".1cd") returned 4 [0085.882] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0085.882] lstrlenW (lpString=".jpg") returned 4 [0085.882] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.882] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.882] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.882] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.883] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1364) returned 1 [0085.883] CloseHandle (hObject=0x1ec) returned 1 [0085.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0085.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.883] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.884] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.886] GetLastError () returned 0x0 [0085.886] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x554, lpOverlapped=0x0) returned 1 [0085.887] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x560, lpOverlapped=0x0) returned 1 [0085.889] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.889] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.889] SetEndOfFile (hFile=0x204) returned 1 [0085.889] CloseHandle (hObject=0x204) returned 1 [0085.889] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.889] SetEndOfFile (hFile=0x1ec) returned 1 [0085.890] CloseHandle (hObject=0x1ec) returned 1 [0085.890] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.890] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.891] lstrlenW (lpString=".doc") returned 4 [0085.891] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.891] lstrlenW (lpString=".docx") returned 5 [0085.891] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.891] lstrlenW (lpString=".pdf") returned 4 [0085.891] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.891] lstrlenW (lpString=".xls") returned 4 [0085.891] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.891] lstrlenW (lpString=".xlsx") returned 5 [0085.891] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.891] lstrlenW (lpString=".ppt") returned 4 [0085.891] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.891] lstrlenW (lpString=".zip") returned 4 [0085.891] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.891] lstrlenW (lpString=".rar") returned 4 [0085.891] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.891] lstrlenW (lpString=".bz2") returned 4 [0085.891] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.891] lstrlenW (lpString=".7z") returned 3 [0085.891] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.891] lstrlenW (lpString=".dbf") returned 4 [0085.891] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.891] lstrlenW (lpString=".1cd") returned 4 [0085.891] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.892] lstrlenW (lpString=".jpg") returned 4 [0085.892] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.892] lstrlenW (lpString=".doc") returned 4 [0085.892] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.892] lstrlenW (lpString=".docx") returned 5 [0085.892] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.892] lstrlenW (lpString=".pdf") returned 4 [0085.892] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString=".xls") returned 4 [0085.892] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString=".xlsx") returned 5 [0085.892] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.892] lstrlenW (lpString=".ppt") returned 4 [0085.892] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.892] lstrlenW (lpString=".zip") returned 4 [0085.892] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString=".rar") returned 4 [0085.892] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.892] lstrlenW (lpString=".bz2") returned 4 [0085.892] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.892] lstrlenW (lpString=".7z") returned 3 [0085.892] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.892] lstrlenW (lpString=".dbf") returned 4 [0085.893] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.893] lstrlenW (lpString=".1cd") returned 4 [0085.893] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0085.893] lstrlenW (lpString=".jpg") returned 4 [0085.893] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.893] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.893] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.893] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=11573) returned 1 [0085.893] CloseHandle (hObject=0x1ec) returned 1 [0085.894] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0085.894] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.894] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.894] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.894] GetLastError () returned 0x0 [0085.894] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0085.896] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0085.897] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.897] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.897] SetEndOfFile (hFile=0x204) returned 1 [0085.897] CloseHandle (hObject=0x204) returned 1 [0085.898] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.898] SetEndOfFile (hFile=0x1ec) returned 1 [0085.898] CloseHandle (hObject=0x1ec) returned 1 [0085.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.899] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0085.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.899] lstrlenW (lpString=".doc") returned 4 [0085.899] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.899] lstrlenW (lpString=".docx") returned 5 [0085.899] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.899] lstrlenW (lpString=".pdf") returned 4 [0085.899] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.899] lstrlenW (lpString=".xls") returned 4 [0085.899] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.899] lstrlenW (lpString=".xlsx") returned 5 [0085.899] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.899] lstrlenW (lpString=".ppt") returned 4 [0085.899] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.899] lstrlenW (lpString=".zip") returned 4 [0085.900] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.900] lstrlenW (lpString=".rar") returned 4 [0085.900] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.900] lstrlenW (lpString=".bz2") returned 4 [0085.900] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString=".7z") returned 3 [0085.900] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.900] lstrlenW (lpString=".dbf") returned 4 [0085.900] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.900] lstrlenW (lpString=".1cd") returned 4 [0085.900] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.900] lstrlenW (lpString=".jpg") returned 4 [0085.900] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.900] lstrlenW (lpString=".doc") returned 4 [0085.900] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString=".docx") returned 5 [0085.900] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.900] lstrlenW (lpString=".pdf") returned 4 [0085.900] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.900] lstrlenW (lpString=".xls") returned 4 [0085.900] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.900] lstrlenW (lpString=".xlsx") returned 5 [0085.900] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.900] lstrlenW (lpString=".ppt") returned 4 [0085.900] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.901] lstrlenW (lpString=".zip") returned 4 [0085.901] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.901] lstrlenW (lpString=".rar") returned 4 [0085.901] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.901] lstrlenW (lpString=".bz2") returned 4 [0085.901] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.901] lstrlenW (lpString=".7z") returned 3 [0085.901] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.901] lstrlenW (lpString=".dbf") returned 4 [0085.901] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.901] lstrlenW (lpString=".1cd") returned 4 [0085.901] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0085.901] lstrlenW (lpString=".jpg") returned 4 [0085.901] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.901] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.901] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.902] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=2574) returned 1 [0085.902] CloseHandle (hObject=0x1ec) returned 1 [0085.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0085.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.902] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.902] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.905] GetLastError () returned 0x0 [0085.905] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xa0e, lpOverlapped=0x0) returned 1 [0085.907] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xa10, lpOverlapped=0x0) returned 1 [0085.908] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.909] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.909] SetEndOfFile (hFile=0x1e8) returned 1 [0085.909] CloseHandle (hObject=0x1e8) returned 1 [0085.909] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.909] SetEndOfFile (hFile=0x1ec) returned 1 [0085.910] CloseHandle (hObject=0x1ec) returned 1 [0085.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.910] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0085.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.911] lstrlenW (lpString=".doc") returned 4 [0085.911] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.911] lstrlenW (lpString=".docx") returned 5 [0085.911] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.911] lstrlenW (lpString=".pdf") returned 4 [0085.911] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.911] lstrlenW (lpString=".xls") returned 4 [0085.911] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.911] lstrlenW (lpString=".xlsx") returned 5 [0085.911] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.911] lstrlenW (lpString=".ppt") returned 4 [0085.911] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.911] lstrlenW (lpString=".zip") returned 4 [0085.911] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.911] lstrlenW (lpString=".rar") returned 4 [0085.911] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.911] lstrlenW (lpString=".bz2") returned 4 [0085.911] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.911] lstrlenW (lpString=".7z") returned 3 [0085.911] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.911] lstrlenW (lpString=".dbf") returned 4 [0085.912] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString=".1cd") returned 4 [0085.912] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString=".jpg") returned 4 [0085.912] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString=".doc") returned 4 [0085.912] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.912] lstrlenW (lpString=".docx") returned 5 [0085.912] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.912] lstrlenW (lpString=".pdf") returned 4 [0085.912] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString=".xls") returned 4 [0085.912] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString=".xlsx") returned 5 [0085.912] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.912] lstrlenW (lpString=".ppt") returned 4 [0085.912] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString=".zip") returned 4 [0085.912] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString=".rar") returned 4 [0085.912] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.912] lstrlenW (lpString=".bz2") returned 4 [0085.912] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.912] lstrlenW (lpString=".7z") returned 3 [0085.912] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.912] lstrlenW (lpString=".dbf") returned 4 [0085.913] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.913] lstrlenW (lpString=".1cd") returned 4 [0085.913] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0085.913] lstrlenW (lpString=".jpg") returned 4 [0085.913] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.913] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.913] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.913] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=37440) returned 1 [0085.913] CloseHandle (hObject=0x1ec) returned 1 [0085.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0085.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.914] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.914] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.914] GetLastError () returned 0x0 [0085.914] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x9240, lpOverlapped=0x0) returned 1 [0086.135] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x9250, lpOverlapped=0x0) returned 1 [0086.137] ReadFile (in: hFile=0x1ec, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.137] WriteFile (in: hFile=0x1e8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.137] SetEndOfFile (hFile=0x1e8) returned 1 [0086.137] CloseHandle (hObject=0x1e8) returned 1 [0086.137] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.137] SetEndOfFile (hFile=0x1ec) returned 1 [0086.138] CloseHandle (hObject=0x1ec) returned 1 [0086.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.139] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0086.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.139] lstrlenW (lpString=".doc") returned 4 [0086.139] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.139] lstrlenW (lpString=".docx") returned 5 [0086.139] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.139] lstrlenW (lpString=".pdf") returned 4 [0086.139] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.139] lstrlenW (lpString=".xls") returned 4 [0086.139] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.139] lstrlenW (lpString=".xlsx") returned 5 [0086.139] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.139] lstrlenW (lpString=".ppt") returned 4 [0086.139] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.139] lstrlenW (lpString=".zip") returned 4 [0086.139] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.139] lstrlenW (lpString=".rar") returned 4 [0086.139] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.139] lstrlenW (lpString=".bz2") returned 4 [0086.140] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString=".7z") returned 3 [0086.140] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString=".dbf") returned 4 [0086.140] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString=".1cd") returned 4 [0086.140] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString=".jpg") returned 4 [0086.140] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString=".doc") returned 4 [0086.140] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString=".docx") returned 5 [0086.140] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.140] lstrlenW (lpString=".pdf") returned 4 [0086.140] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.140] lstrlenW (lpString=".xls") returned 4 [0086.140] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.140] lstrlenW (lpString=".xlsx") returned 5 [0086.140] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.140] lstrlenW (lpString=".ppt") returned 4 [0086.140] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.140] lstrlenW (lpString=".zip") returned 4 [0086.140] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.140] lstrlenW (lpString=".rar") returned 4 [0086.140] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.140] lstrlenW (lpString=".bz2") returned 4 [0086.141] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.141] lstrlenW (lpString=".7z") returned 3 [0086.141] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.141] lstrlenW (lpString=".dbf") returned 4 [0086.141] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.141] lstrlenW (lpString=".1cd") returned 4 [0086.141] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0086.141] lstrlenW (lpString=".jpg") returned 4 [0086.141] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.141] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.141] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.426] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=16738) returned 1 [0086.426] CloseHandle (hObject=0x1b8) returned 1 [0086.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0086.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.426] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.426] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0086.427] GetLastError () returned 0x0 [0086.427] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x4162, lpOverlapped=0x0) returned 1 [0086.596] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x4170, lpOverlapped=0x0) returned 1 [0086.598] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.598] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.598] SetEndOfFile (hFile=0x1c8) returned 1 [0086.598] CloseHandle (hObject=0x1c8) returned 1 [0086.598] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.598] SetEndOfFile (hFile=0x1b8) returned 1 [0086.600] CloseHandle (hObject=0x1b8) returned 1 [0086.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.600] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0086.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.600] lstrlenW (lpString=".doc") returned 4 [0086.600] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.600] lstrlenW (lpString=".docx") returned 5 [0086.601] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.601] lstrlenW (lpString=".pdf") returned 4 [0086.601] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.601] lstrlenW (lpString=".xls") returned 4 [0086.601] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.601] lstrlenW (lpString=".xlsx") returned 5 [0086.601] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.601] lstrlenW (lpString=".ppt") returned 4 [0086.601] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.601] lstrlenW (lpString=".zip") returned 4 [0086.601] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.601] lstrlenW (lpString=".rar") returned 4 [0086.601] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.601] lstrlenW (lpString=".bz2") returned 4 [0086.601] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.601] lstrlenW (lpString=".7z") returned 3 [0086.601] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.601] lstrlenW (lpString=".dbf") returned 4 [0086.601] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.601] lstrlenW (lpString=".1cd") returned 4 [0086.601] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.601] lstrlenW (lpString=".jpg") returned 4 [0086.601] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.602] lstrlenW (lpString=".doc") returned 4 [0086.602] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.602] lstrlenW (lpString=".docx") returned 5 [0086.602] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.602] lstrlenW (lpString=".pdf") returned 4 [0086.602] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.602] lstrlenW (lpString=".xls") returned 4 [0086.602] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.602] lstrlenW (lpString=".xlsx") returned 5 [0086.602] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.602] lstrlenW (lpString=".ppt") returned 4 [0086.602] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.602] lstrlenW (lpString=".zip") returned 4 [0086.602] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.602] lstrlenW (lpString=".rar") returned 4 [0086.602] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.602] lstrlenW (lpString=".bz2") returned 4 [0086.602] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.602] lstrlenW (lpString=".7z") returned 3 [0086.602] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.603] lstrlenW (lpString=".dbf") returned 4 [0086.603] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.603] lstrlenW (lpString=".1cd") returned 4 [0086.603] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0086.603] lstrlenW (lpString=".jpg") returned 4 [0086.603] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.603] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.603] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.621] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=31975) returned 1 [0086.621] CloseHandle (hObject=0x1b8) returned 1 [0086.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0086.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.621] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.621] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0086.622] GetLastError () returned 0x0 [0086.622] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0086.625] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0086.627] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.627] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.627] SetEndOfFile (hFile=0x1c8) returned 1 [0086.627] CloseHandle (hObject=0x1c8) returned 1 [0086.628] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.628] SetEndOfFile (hFile=0x1b8) returned 1 [0086.629] CloseHandle (hObject=0x1b8) returned 1 [0086.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.630] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0086.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.630] lstrlenW (lpString=".doc") returned 4 [0086.631] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.631] lstrlenW (lpString=".docx") returned 5 [0086.631] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.631] lstrlenW (lpString=".pdf") returned 4 [0086.631] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.631] lstrlenW (lpString=".xls") returned 4 [0086.631] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.631] lstrlenW (lpString=".xlsx") returned 5 [0086.631] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.631] lstrlenW (lpString=".ppt") returned 4 [0086.631] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.631] lstrlenW (lpString=".zip") returned 4 [0086.631] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.631] lstrlenW (lpString=".rar") returned 4 [0086.631] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.631] lstrlenW (lpString=".bz2") returned 4 [0086.631] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.631] lstrlenW (lpString=".7z") returned 3 [0086.631] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.631] lstrlenW (lpString=".dbf") returned 4 [0086.631] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.631] lstrlenW (lpString=".1cd") returned 4 [0086.631] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.632] lstrlenW (lpString=".jpg") returned 4 [0086.632] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.632] lstrlenW (lpString=".doc") returned 4 [0086.632] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.632] lstrlenW (lpString=".docx") returned 5 [0086.632] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.632] lstrlenW (lpString=".pdf") returned 4 [0086.632] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.632] lstrlenW (lpString=".xls") returned 4 [0086.632] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.632] lstrlenW (lpString=".xlsx") returned 5 [0086.632] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.632] lstrlenW (lpString=".ppt") returned 4 [0086.632] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.632] lstrlenW (lpString=".zip") returned 4 [0086.632] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.632] lstrlenW (lpString=".rar") returned 4 [0086.632] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.632] lstrlenW (lpString=".bz2") returned 4 [0086.632] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.632] lstrlenW (lpString=".7z") returned 3 [0086.633] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.633] lstrlenW (lpString=".dbf") returned 4 [0086.633] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.633] lstrlenW (lpString=".1cd") returned 4 [0086.633] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0086.633] lstrlenW (lpString=".jpg") returned 4 [0086.633] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.633] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.633] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.634] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=4100) returned 1 [0086.634] CloseHandle (hObject=0x1b8) returned 1 [0086.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0086.634] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.635] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.635] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0086.638] GetLastError () returned 0x0 [0086.638] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x1004, lpOverlapped=0x0) returned 1 [0086.640] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x1010, lpOverlapped=0x0) returned 1 [0086.641] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.641] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.642] SetEndOfFile (hFile=0x1c8) returned 1 [0086.642] CloseHandle (hObject=0x1c8) returned 1 [0086.642] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.642] SetEndOfFile (hFile=0x1b8) returned 1 [0086.643] CloseHandle (hObject=0x1b8) returned 1 [0086.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.643] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0086.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.644] lstrlenW (lpString=".doc") returned 4 [0086.644] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.644] lstrlenW (lpString=".docx") returned 5 [0086.644] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.644] lstrlenW (lpString=".pdf") returned 4 [0086.644] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.644] lstrlenW (lpString=".xls") returned 4 [0086.644] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.644] lstrlenW (lpString=".xlsx") returned 5 [0086.644] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.644] lstrlenW (lpString=".ppt") returned 4 [0086.644] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.644] lstrlenW (lpString=".zip") returned 4 [0086.644] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.644] lstrlenW (lpString=".rar") returned 4 [0086.644] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.644] lstrlenW (lpString=".bz2") returned 4 [0086.644] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.645] lstrlenW (lpString=".7z") returned 3 [0086.645] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.645] lstrlenW (lpString=".dbf") returned 4 [0086.645] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.645] lstrlenW (lpString=".1cd") returned 4 [0086.645] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.645] lstrlenW (lpString=".jpg") returned 4 [0086.645] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.645] lstrlenW (lpString=".doc") returned 4 [0086.645] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.645] lstrlenW (lpString=".docx") returned 5 [0086.645] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.645] lstrlenW (lpString=".pdf") returned 4 [0086.645] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.645] lstrlenW (lpString=".xls") returned 4 [0086.645] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.645] lstrlenW (lpString=".xlsx") returned 5 [0086.645] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.645] lstrlenW (lpString=".ppt") returned 4 [0086.645] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.646] lstrlenW (lpString=".zip") returned 4 [0086.646] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.646] lstrlenW (lpString=".rar") returned 4 [0086.646] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.646] lstrlenW (lpString=".bz2") returned 4 [0086.646] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.646] lstrlenW (lpString=".7z") returned 3 [0086.646] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.646] lstrlenW (lpString=".dbf") returned 4 [0086.646] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.646] lstrlenW (lpString=".1cd") returned 4 [0086.646] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0086.646] lstrlenW (lpString=".jpg") returned 4 [0086.646] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.646] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.646] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.646] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.647] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=47962) returned 1 [0086.647] CloseHandle (hObject=0x1b8) returned 1 [0086.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0086.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0086.647] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.648] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.648] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0086.648] GetLastError () returned 0x0 [0086.648] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0087.015] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0087.045] ReadFile (in: hFile=0x1b8, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0087.045] WriteFile (in: hFile=0x1c8, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0087.045] SetEndOfFile (hFile=0x1c8) returned 1 [0087.050] CloseHandle (hObject=0x1c8) returned 1 [0087.064] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.065] SetEndOfFile (hFile=0x1b8) returned 1 [0087.066] CloseHandle (hObject=0x1b8) returned 1 [0087.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0087.244] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0087.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.582] lstrlenW (lpString=".doc") returned 4 [0087.582] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0087.582] lstrlenW (lpString=".docx") returned 5 [0087.582] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0087.582] lstrlenW (lpString=".pdf") returned 4 [0087.582] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0087.582] lstrlenW (lpString=".xls") returned 4 [0087.582] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0087.582] lstrlenW (lpString=".xlsx") returned 5 [0087.582] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0087.582] lstrlenW (lpString=".ppt") returned 4 [0087.583] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString=".zip") returned 4 [0087.583] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0087.583] lstrlenW (lpString=".rar") returned 4 [0087.583] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0087.583] lstrlenW (lpString=".bz2") returned 4 [0087.583] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0087.583] lstrlenW (lpString=".7z") returned 3 [0087.583] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString=".dbf") returned 4 [0087.583] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString=".1cd") returned 4 [0087.583] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString=".jpg") returned 4 [0087.583] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.583] lstrlenW (lpString=".doc") returned 4 [0087.583] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0087.583] lstrlenW (lpString=".docx") returned 5 [0087.583] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0087.583] lstrlenW (lpString=".pdf") returned 4 [0087.583] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0087.584] lstrlenW (lpString=".xls") returned 4 [0087.584] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0087.584] lstrlenW (lpString=".xlsx") returned 5 [0087.584] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0087.584] lstrlenW (lpString=".ppt") returned 4 [0087.584] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0087.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.584] lstrlenW (lpString=".zip") returned 4 [0087.584] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0087.584] lstrlenW (lpString=".rar") returned 4 [0087.584] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0087.584] lstrlenW (lpString=".bz2") returned 4 [0087.584] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0087.584] lstrlenW (lpString=".7z") returned 3 [0087.584] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0087.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.584] lstrlenW (lpString=".dbf") returned 4 [0087.584] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0087.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.584] lstrlenW (lpString=".1cd") returned 4 [0087.584] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0087.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0087.584] lstrlenW (lpString=".jpg") returned 4 [0087.584] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0087.585] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0087.585] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0087.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0088.060] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=937) returned 1 [0088.060] CloseHandle (hObject=0x214) returned 1 [0088.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0088.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0088.223] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.223] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0088.289] GetLastError () returned 0x0 [0088.289] ReadFile (in: hFile=0x214, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x3a9, lpOverlapped=0x0) returned 1 [0088.578] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0088.579] ReadFile (in: hFile=0x214, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0088.579] WriteFile (in: hFile=0x1d4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0088.579] SetEndOfFile (hFile=0x1d4) returned 1 [0088.580] CloseHandle (hObject=0x1d4) returned 1 [0088.580] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.580] SetEndOfFile (hFile=0x214) returned 1 [0088.581] CloseHandle (hObject=0x214) returned 1 [0088.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0088.581] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0088.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.581] lstrlenW (lpString=".doc") returned 4 [0088.581] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0088.582] lstrlenW (lpString=".docx") returned 5 [0088.582] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0088.582] lstrlenW (lpString=".pdf") returned 4 [0088.582] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0088.582] lstrlenW (lpString=".xls") returned 4 [0088.582] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0088.582] lstrlenW (lpString=".xlsx") returned 5 [0088.582] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0088.582] lstrlenW (lpString=".ppt") returned 4 [0088.582] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0088.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.582] lstrlenW (lpString=".zip") returned 4 [0088.582] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0088.582] lstrlenW (lpString=".rar") returned 4 [0088.582] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0088.582] lstrlenW (lpString=".bz2") returned 4 [0088.582] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0088.582] lstrlenW (lpString=".7z") returned 3 [0088.582] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0088.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.582] lstrlenW (lpString=".dbf") returned 4 [0088.582] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0088.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.582] lstrlenW (lpString=".1cd") returned 4 [0088.582] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0088.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.583] lstrlenW (lpString=".jpg") returned 4 [0088.583] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0088.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.584] lstrlenW (lpString=".doc") returned 4 [0088.584] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0088.584] lstrlenW (lpString=".docx") returned 5 [0088.584] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0088.584] lstrlenW (lpString=".pdf") returned 4 [0088.584] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0088.584] lstrlenW (lpString=".xls") returned 4 [0088.584] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0088.584] lstrlenW (lpString=".xlsx") returned 5 [0088.584] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0088.584] lstrlenW (lpString=".ppt") returned 4 [0088.584] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0088.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.585] lstrlenW (lpString=".zip") returned 4 [0088.585] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0088.585] lstrlenW (lpString=".rar") returned 4 [0088.585] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0088.585] lstrlenW (lpString=".bz2") returned 4 [0088.585] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0088.585] lstrlenW (lpString=".7z") returned 3 [0088.585] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0088.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.585] lstrlenW (lpString=".dbf") returned 4 [0088.585] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0088.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.585] lstrlenW (lpString=".1cd") returned 4 [0088.585] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0088.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0088.585] lstrlenW (lpString=".jpg") returned 4 [0088.585] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0088.585] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0088.585] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0088.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0088.628] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=27177) returned 1 [0088.628] CloseHandle (hObject=0x210) returned 1 [0088.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 0x20 [0088.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0088.629] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.629] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0089.605] GetLastError () returned 0x0 [0089.605] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x6a29, lpOverlapped=0x0) returned 1 [0089.863] WriteFile (in: hFile=0x20c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0089.864] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.864] WriteFile (in: hFile=0x20c, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0089.865] SetEndOfFile (hFile=0x20c) returned 1 [0089.865] CloseHandle (hObject=0x20c) returned 1 [0089.865] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.865] SetEndOfFile (hFile=0x210) returned 1 [0089.866] CloseHandle (hObject=0x210) returned 1 [0089.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.867] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0089.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.867] lstrlenW (lpString=".doc") returned 4 [0089.867] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.867] lstrlenW (lpString=".docx") returned 5 [0089.867] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.867] lstrlenW (lpString=".pdf") returned 4 [0089.867] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.867] lstrlenW (lpString=".xls") returned 4 [0089.867] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.867] lstrlenW (lpString=".xlsx") returned 5 [0089.867] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.867] lstrlenW (lpString=".ppt") returned 4 [0089.867] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.867] lstrlenW (lpString=".zip") returned 4 [0089.867] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.867] lstrlenW (lpString=".rar") returned 4 [0089.867] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.867] lstrlenW (lpString=".bz2") returned 4 [0089.867] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString=".7z") returned 3 [0089.868] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString=".dbf") returned 4 [0089.868] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString=".1cd") returned 4 [0089.868] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString=".jpg") returned 4 [0089.868] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString=".doc") returned 4 [0089.868] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString=".docx") returned 5 [0089.868] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.868] lstrlenW (lpString=".pdf") returned 4 [0089.868] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.868] lstrlenW (lpString=".xls") returned 4 [0089.868] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.868] lstrlenW (lpString=".xlsx") returned 5 [0089.868] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.868] lstrlenW (lpString=".ppt") returned 4 [0089.868] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.868] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.868] lstrlenW (lpString=".zip") returned 4 [0089.868] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.868] lstrlenW (lpString=".rar") returned 4 [0089.869] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.869] lstrlenW (lpString=".bz2") returned 4 [0089.869] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.869] lstrlenW (lpString=".7z") returned 3 [0089.869] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.869] lstrlenW (lpString=".dbf") returned 4 [0089.869] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.869] lstrlenW (lpString=".1cd") returned 4 [0089.869] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0089.869] lstrlenW (lpString=".jpg") returned 4 [0089.869] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.869] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0089.869] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0089.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.870] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1675) returned 1 [0089.870] CloseHandle (hObject=0x210) returned 1 [0089.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0089.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.870] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.870] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.870] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.924] GetLastError () returned 0x0 [0089.924] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x68b, lpOverlapped=0x0) returned 1 [0089.926] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x690, lpOverlapped=0x0) returned 1 [0089.927] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.928] WriteFile (in: hFile=0x204, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0089.928] SetEndOfFile (hFile=0x204) returned 1 [0089.928] CloseHandle (hObject=0x204) returned 1 [0089.928] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.928] SetEndOfFile (hFile=0x210) returned 1 [0089.929] CloseHandle (hObject=0x210) returned 1 [0089.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.930] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0089.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.930] lstrlenW (lpString=".doc") returned 4 [0089.930] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.930] lstrlenW (lpString=".docx") returned 5 [0089.930] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.930] lstrlenW (lpString=".pdf") returned 4 [0089.930] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.930] lstrlenW (lpString=".xls") returned 4 [0089.930] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.930] lstrlenW (lpString=".xlsx") returned 5 [0089.930] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.930] lstrlenW (lpString=".ppt") returned 4 [0089.930] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.930] lstrlenW (lpString=".zip") returned 4 [0089.930] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.930] lstrlenW (lpString=".rar") returned 4 [0089.930] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.930] lstrlenW (lpString=".bz2") returned 4 [0089.930] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.930] lstrlenW (lpString=".7z") returned 3 [0089.931] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString=".dbf") returned 4 [0089.931] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString=".1cd") returned 4 [0089.931] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString=".jpg") returned 4 [0089.931] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString=".doc") returned 4 [0089.931] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.931] lstrlenW (lpString=".docx") returned 5 [0089.931] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.931] lstrlenW (lpString=".pdf") returned 4 [0089.931] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.931] lstrlenW (lpString=".xls") returned 4 [0089.931] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.931] lstrlenW (lpString=".xlsx") returned 5 [0089.931] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.931] lstrlenW (lpString=".ppt") returned 4 [0089.931] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.931] lstrlenW (lpString=".zip") returned 4 [0089.931] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.931] lstrlenW (lpString=".rar") returned 4 [0089.931] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.932] lstrlenW (lpString=".bz2") returned 4 [0089.932] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.932] lstrlenW (lpString=".7z") returned 3 [0089.932] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.932] lstrlenW (lpString=".dbf") returned 4 [0089.932] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.932] lstrlenW (lpString=".1cd") returned 4 [0089.932] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.932] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0089.932] lstrlenW (lpString=".jpg") returned 4 [0089.932] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.932] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0089.932] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0089.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.933] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=4991) returned 1 [0089.933] CloseHandle (hObject=0x210) returned 1 [0089.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 0x20 [0089.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.933] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.933] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0089.936] GetLastError () returned 0x0 [0089.936] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x137f, lpOverlapped=0x0) returned 1 [0089.938] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x1380, lpOverlapped=0x0) returned 1 [0089.939] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.939] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0089.940] SetEndOfFile (hFile=0x214) returned 1 [0089.940] CloseHandle (hObject=0x214) returned 1 [0089.940] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.940] SetEndOfFile (hFile=0x210) returned 1 [0089.941] CloseHandle (hObject=0x210) returned 1 [0089.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.942] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0089.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.942] lstrlenW (lpString=".doc") returned 4 [0089.942] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.942] lstrlenW (lpString=".docx") returned 5 [0089.942] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.942] lstrlenW (lpString=".pdf") returned 4 [0089.943] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString=".xls") returned 4 [0089.943] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString=".xlsx") returned 5 [0089.943] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.943] lstrlenW (lpString=".ppt") returned 4 [0089.943] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.943] lstrlenW (lpString=".zip") returned 4 [0089.943] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString=".rar") returned 4 [0089.943] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString=".bz2") returned 4 [0089.943] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.943] lstrlenW (lpString=".7z") returned 3 [0089.943] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.943] lstrlenW (lpString=".dbf") returned 4 [0089.943] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.943] lstrlenW (lpString=".1cd") returned 4 [0089.943] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.943] lstrlenW (lpString=".jpg") returned 4 [0089.943] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.944] lstrlenW (lpString=".doc") returned 4 [0089.944] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.944] lstrlenW (lpString=".docx") returned 5 [0089.944] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.944] lstrlenW (lpString=".pdf") returned 4 [0089.944] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.944] lstrlenW (lpString=".xls") returned 4 [0089.944] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.944] lstrlenW (lpString=".xlsx") returned 5 [0089.944] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.944] lstrlenW (lpString=".ppt") returned 4 [0089.944] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.944] lstrlenW (lpString=".zip") returned 4 [0089.944] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.944] lstrlenW (lpString=".rar") returned 4 [0089.944] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.944] lstrlenW (lpString=".bz2") returned 4 [0089.944] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.944] lstrlenW (lpString=".7z") returned 3 [0089.944] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.944] lstrlenW (lpString=".dbf") returned 4 [0089.944] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.944] lstrlenW (lpString=".1cd") returned 4 [0089.944] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0089.945] lstrlenW (lpString=".jpg") returned 4 [0089.945] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.945] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0089.945] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0089.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.945] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=44302) returned 1 [0089.945] CloseHandle (hObject=0x210) returned 1 [0089.946] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0089.946] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0089.946] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.946] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0089.947] GetLastError () returned 0x0 [0089.947] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xad0e, lpOverlapped=0x0) returned 1 [0090.188] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xad10, lpOverlapped=0x0) returned 1 [0090.190] ReadFile (in: hFile=0x210, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.190] WriteFile (in: hFile=0x214, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xec, lpOverlapped=0x0) returned 1 [0090.190] SetEndOfFile (hFile=0x214) returned 1 [0090.191] CloseHandle (hObject=0x214) returned 1 [0090.192] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.192] SetEndOfFile (hFile=0x210) returned 1 [0090.193] CloseHandle (hObject=0x210) returned 1 [0090.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.193] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0090.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.194] lstrlenW (lpString=".doc") returned 4 [0090.194] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.194] lstrlenW (lpString=".docx") returned 5 [0090.194] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.194] lstrlenW (lpString=".pdf") returned 4 [0090.194] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.194] lstrlenW (lpString=".xls") returned 4 [0090.194] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.194] lstrlenW (lpString=".xlsx") returned 5 [0090.194] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.194] lstrlenW (lpString=".ppt") returned 4 [0090.194] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.194] lstrlenW (lpString=".zip") returned 4 [0090.194] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.194] lstrlenW (lpString=".rar") returned 4 [0090.194] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.194] lstrlenW (lpString=".bz2") returned 4 [0090.194] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.194] lstrlenW (lpString=".7z") returned 3 [0090.194] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.194] lstrlenW (lpString=".dbf") returned 4 [0090.194] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.195] lstrlenW (lpString=".1cd") returned 4 [0090.195] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.195] lstrlenW (lpString=".jpg") returned 4 [0090.195] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.195] lstrlenW (lpString=".doc") returned 4 [0090.195] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.195] lstrlenW (lpString=".docx") returned 5 [0090.195] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.195] lstrlenW (lpString=".pdf") returned 4 [0090.195] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.195] lstrlenW (lpString=".xls") returned 4 [0090.195] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.195] lstrlenW (lpString=".xlsx") returned 5 [0090.195] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.195] lstrlenW (lpString=".ppt") returned 4 [0090.195] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.195] lstrlenW (lpString=".zip") returned 4 [0090.195] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.195] lstrlenW (lpString=".rar") returned 4 [0090.195] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.195] lstrlenW (lpString=".bz2") returned 4 [0090.195] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.195] lstrlenW (lpString=".7z") returned 3 [0090.195] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.196] lstrlenW (lpString=".dbf") returned 4 [0090.196] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.196] lstrlenW (lpString=".1cd") returned 4 [0090.196] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0090.196] lstrlenW (lpString=".jpg") returned 4 [0090.196] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.196] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0090.196] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0090.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0092.676] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=1571) returned 1 [0092.676] CloseHandle (hObject=0x1f4) returned 1 [0092.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 0x20 [0092.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.676] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0092.676] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.677] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.677] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0092.989] GetLastError () returned 0x0 [0092.989] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x623, lpOverlapped=0x0) returned 1 [0092.991] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0x630, lpOverlapped=0x0) returned 1 [0092.992] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0092.992] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0092.992] SetEndOfFile (hFile=0x1b4) returned 1 [0092.993] CloseHandle (hObject=0x1b4) returned 1 [0092.993] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.993] SetEndOfFile (hFile=0x1f4) returned 1 [0092.994] CloseHandle (hObject=0x1f4) returned 1 [0092.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.994] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0092.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.995] lstrlenW (lpString=".doc") returned 4 [0092.995] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0092.995] lstrlenW (lpString=".docx") returned 5 [0092.995] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0092.995] lstrlenW (lpString=".pdf") returned 4 [0092.995] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0092.995] lstrlenW (lpString=".xls") returned 4 [0092.995] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0092.995] lstrlenW (lpString=".xlsx") returned 5 [0092.995] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0092.995] lstrlenW (lpString=".ppt") returned 4 [0092.995] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0092.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.995] lstrlenW (lpString=".zip") returned 4 [0092.995] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0092.995] lstrlenW (lpString=".rar") returned 4 [0092.995] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0092.995] lstrlenW (lpString=".bz2") returned 4 [0092.995] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0092.995] lstrlenW (lpString=".7z") returned 3 [0092.996] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString=".dbf") returned 4 [0092.996] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString=".1cd") returned 4 [0092.996] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString=".jpg") returned 4 [0092.996] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString=".doc") returned 4 [0092.996] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0092.996] lstrlenW (lpString=".docx") returned 5 [0092.996] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0092.996] lstrlenW (lpString=".pdf") returned 4 [0092.996] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0092.996] lstrlenW (lpString=".xls") returned 4 [0092.996] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0092.996] lstrlenW (lpString=".xlsx") returned 5 [0092.996] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0092.996] lstrlenW (lpString=".ppt") returned 4 [0092.996] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0092.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.996] lstrlenW (lpString=".zip") returned 4 [0092.997] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0092.997] lstrlenW (lpString=".rar") returned 4 [0092.997] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0092.997] lstrlenW (lpString=".bz2") returned 4 [0092.997] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0092.997] lstrlenW (lpString=".7z") returned 3 [0092.997] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0092.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.997] lstrlenW (lpString=".dbf") returned 4 [0092.997] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0092.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.997] lstrlenW (lpString=".1cd") returned 4 [0092.997] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0092.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0092.997] lstrlenW (lpString=".jpg") returned 4 [0092.997] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0092.997] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0092.997] lstrlenW (lpString="adcjavas.inc") returned 12 [0092.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0092.999] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=630) returned 1 [0092.999] CloseHandle (hObject=0x1b4) returned 1 [0092.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0092.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0092.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0092.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0092.999] lstrlenW (lpString=".doc") returned 4 [0092.999] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.000] lstrlenW (lpString=".docx") returned 5 [0093.000] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.000] lstrlenW (lpString=".pdf") returned 4 [0093.000] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.000] lstrlenW (lpString=".xls") returned 4 [0093.000] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.000] lstrlenW (lpString=".xlsx") returned 5 [0093.000] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.000] lstrlenW (lpString=".ppt") returned 4 [0093.000] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.000] lstrlenW (lpString=".zip") returned 4 [0093.000] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.000] lstrlenW (lpString=".rar") returned 4 [0093.000] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.000] lstrlenW (lpString=".bz2") returned 4 [0093.000] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.000] lstrlenW (lpString=".7z") returned 3 [0093.000] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.000] lstrlenW (lpString=".dbf") returned 4 [0093.000] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.000] lstrlenW (lpString=".1cd") returned 4 [0093.000] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.000] lstrlenW (lpString=".jpg") returned 4 [0093.000] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.001] lstrlenW (lpString=".doc") returned 4 [0093.001] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.001] lstrlenW (lpString=".docx") returned 5 [0093.001] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.001] lstrlenW (lpString=".pdf") returned 4 [0093.001] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString=".xls") returned 4 [0093.001] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString=".xlsx") returned 5 [0093.001] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.001] lstrlenW (lpString=".ppt") returned 4 [0093.001] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.001] lstrlenW (lpString=".zip") returned 4 [0093.001] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString=".rar") returned 4 [0093.001] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.001] lstrlenW (lpString=".bz2") returned 4 [0093.001] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.001] lstrlenW (lpString=".7z") returned 3 [0093.001] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.001] lstrlenW (lpString=".dbf") returned 4 [0093.001] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.002] lstrlenW (lpString=".1cd") returned 4 [0093.002] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0093.002] lstrlenW (lpString=".jpg") returned 4 [0093.002] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.002] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0093.002] lstrlenW (lpString="adcvbs.inc") returned 10 [0093.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0093.002] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=623) returned 1 [0093.002] CloseHandle (hObject=0x1b4) returned 1 [0093.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc")) returned 0x20 [0093.003] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.003] lstrlenW (lpString=".doc") returned 4 [0093.003] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.003] lstrlenW (lpString=".docx") returned 5 [0093.003] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.003] lstrlenW (lpString=".pdf") returned 4 [0093.003] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.003] lstrlenW (lpString=".xls") returned 4 [0093.003] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.003] lstrlenW (lpString=".xlsx") returned 5 [0093.003] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.003] lstrlenW (lpString=".ppt") returned 4 [0093.003] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.003] lstrlenW (lpString=".zip") returned 4 [0093.003] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.003] lstrlenW (lpString=".rar") returned 4 [0093.003] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.003] lstrlenW (lpString=".bz2") returned 4 [0093.003] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.003] lstrlenW (lpString=".7z") returned 3 [0093.004] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString=".dbf") returned 4 [0093.004] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString=".1cd") returned 4 [0093.004] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString=".jpg") returned 4 [0093.004] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString=".doc") returned 4 [0093.004] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.004] lstrlenW (lpString=".docx") returned 5 [0093.004] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.004] lstrlenW (lpString=".pdf") returned 4 [0093.004] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.004] lstrlenW (lpString=".xls") returned 4 [0093.004] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.004] lstrlenW (lpString=".xlsx") returned 5 [0093.004] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.004] lstrlenW (lpString=".ppt") returned 4 [0093.004] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.004] lstrlenW (lpString=".zip") returned 4 [0093.005] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.005] lstrlenW (lpString=".rar") returned 4 [0093.005] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.005] lstrlenW (lpString=".bz2") returned 4 [0093.005] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.005] lstrlenW (lpString=".7z") returned 3 [0093.005] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.005] lstrlenW (lpString=".dbf") returned 4 [0093.005] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.005] lstrlenW (lpString=".1cd") returned 4 [0093.005] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 53 [0093.005] lstrlenW (lpString=".jpg") returned 4 [0093.005] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.005] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0093.005] lstrlenW (lpString="oledbjvs.inc") returned 12 [0093.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.007] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=9804) returned 1 [0093.007] CloseHandle (hObject=0x1f4) returned 1 [0093.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc")) returned 0x20 [0093.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.008] lstrlenW (lpString=".doc") returned 4 [0093.008] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.008] lstrlenW (lpString=".docx") returned 5 [0093.008] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.008] lstrlenW (lpString=".pdf") returned 4 [0093.008] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.008] lstrlenW (lpString=".xls") returned 4 [0093.008] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.008] lstrlenW (lpString=".xlsx") returned 5 [0093.008] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.008] lstrlenW (lpString=".ppt") returned 4 [0093.008] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.008] lstrlenW (lpString=".zip") returned 4 [0093.008] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.008] lstrlenW (lpString=".rar") returned 4 [0093.008] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.009] lstrlenW (lpString=".bz2") returned 4 [0093.009] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.009] lstrlenW (lpString=".7z") returned 3 [0093.009] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.009] lstrlenW (lpString=".dbf") returned 4 [0093.009] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.009] lstrlenW (lpString=".1cd") returned 4 [0093.009] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.009] lstrlenW (lpString=".jpg") returned 4 [0093.009] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.009] lstrlenW (lpString=".doc") returned 4 [0093.009] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.009] lstrlenW (lpString=".docx") returned 5 [0093.009] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.009] lstrlenW (lpString=".pdf") returned 4 [0093.009] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.009] lstrlenW (lpString=".xls") returned 4 [0093.009] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.009] lstrlenW (lpString=".xlsx") returned 5 [0093.009] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.009] lstrlenW (lpString=".ppt") returned 4 [0093.009] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.010] lstrlenW (lpString=".zip") returned 4 [0093.010] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.010] lstrlenW (lpString=".rar") returned 4 [0093.010] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.010] lstrlenW (lpString=".bz2") returned 4 [0093.010] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.010] lstrlenW (lpString=".7z") returned 3 [0093.010] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.010] lstrlenW (lpString=".dbf") returned 4 [0093.010] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.010] lstrlenW (lpString=".1cd") returned 4 [0093.010] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0093.010] lstrlenW (lpString=".jpg") returned 4 [0093.010] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.010] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0093.010] lstrlenW (lpString="oledbvbs.inc") returned 12 [0093.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.011] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=9975) returned 1 [0093.011] CloseHandle (hObject=0x1f4) returned 1 [0093.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0093.011] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.011] lstrlenW (lpString=".doc") returned 4 [0093.011] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.011] lstrlenW (lpString=".docx") returned 5 [0093.011] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.011] lstrlenW (lpString=".pdf") returned 4 [0093.011] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.011] lstrlenW (lpString=".xls") returned 4 [0093.011] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.012] lstrlenW (lpString=".xlsx") returned 5 [0093.012] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.012] lstrlenW (lpString=".ppt") returned 4 [0093.012] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString=".zip") returned 4 [0093.012] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.012] lstrlenW (lpString=".rar") returned 4 [0093.012] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.012] lstrlenW (lpString=".bz2") returned 4 [0093.012] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.012] lstrlenW (lpString=".7z") returned 3 [0093.012] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString=".dbf") returned 4 [0093.012] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString=".1cd") returned 4 [0093.012] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString=".jpg") returned 4 [0093.012] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.012] lstrlenW (lpString=".doc") returned 4 [0093.012] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.012] lstrlenW (lpString=".docx") returned 5 [0093.013] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.013] lstrlenW (lpString=".pdf") returned 4 [0093.013] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.013] lstrlenW (lpString=".xls") returned 4 [0093.013] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.013] lstrlenW (lpString=".xlsx") returned 5 [0093.013] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.013] lstrlenW (lpString=".ppt") returned 4 [0093.013] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.013] lstrlenW (lpString=".zip") returned 4 [0093.013] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.013] lstrlenW (lpString=".rar") returned 4 [0093.013] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.013] lstrlenW (lpString=".bz2") returned 4 [0093.013] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.013] lstrlenW (lpString=".7z") returned 3 [0093.013] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.013] lstrlenW (lpString=".dbf") returned 4 [0093.013] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.013] lstrlenW (lpString=".1cd") returned 4 [0093.013] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0093.013] lstrlenW (lpString=".jpg") returned 4 [0093.013] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.014] lstrcmpiW (lpString1=".ini", lpString2=".mnbzr") returned -1 [0093.014] lstrlenW (lpString="desktop.ini") returned 11 [0093.014] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.014] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=174) returned 1 [0093.014] CloseHandle (hObject=0x1f4) returned 1 [0093.014] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 0x26 [0093.014] GetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.014] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.014] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.014] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.015] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0093.015] GetLastError () returned 0x0 [0093.015] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0xae, lpOverlapped=0x0) returned 1 [0093.016] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0093.023] ReadFile (in: hFile=0x1f4, lpBuffer=0x2ea0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x299fed4, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesRead=0x299fed4*=0x0, lpOverlapped=0x0) returned 1 [0093.023] WriteFile (in: hFile=0x1b4, lpBuffer=0x2ea0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x299fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0020*, lpNumberOfBytesWritten=0x299fc9c*=0xea, lpOverlapped=0x0) returned 1 [0093.023] SetEndOfFile (hFile=0x1b4) returned 1 [0093.023] CloseHandle (hObject=0x1b4) returned 1 [0093.023] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x299fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.023] SetEndOfFile (hFile=0x1f4) returned 1 [0093.024] CloseHandle (hObject=0x1f4) returned 1 [0093.024] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x26) returned 1 [0093.025] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0093.025] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.025] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.025] lstrlenW (lpString=".doc") returned 4 [0093.025] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0093.025] lstrlenW (lpString=".docx") returned 5 [0093.025] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0093.025] lstrlenW (lpString=".pdf") returned 4 [0093.025] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0093.025] lstrlenW (lpString=".xls") returned 4 [0093.025] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0093.025] lstrlenW (lpString=".xlsx") returned 5 [0093.025] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0093.026] lstrlenW (lpString=".ppt") returned 4 [0093.026] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString=".zip") returned 4 [0093.026] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0093.026] lstrlenW (lpString=".rar") returned 4 [0093.026] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0093.026] lstrlenW (lpString=".bz2") returned 4 [0093.026] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0093.026] lstrlenW (lpString=".7z") returned 3 [0093.026] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString=".dbf") returned 4 [0093.026] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString=".1cd") returned 4 [0093.026] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString=".jpg") returned 4 [0093.026] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.026] lstrlenW (lpString=".doc") returned 4 [0093.026] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0093.026] lstrlenW (lpString=".docx") returned 5 [0093.026] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0093.026] lstrlenW (lpString=".pdf") returned 4 [0093.027] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0093.027] lstrlenW (lpString=".xls") returned 4 [0093.027] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0093.027] lstrlenW (lpString=".xlsx") returned 5 [0093.027] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0093.027] lstrlenW (lpString=".ppt") returned 4 [0093.027] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0093.027] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.027] lstrlenW (lpString=".zip") returned 4 [0093.027] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0093.027] lstrlenW (lpString=".rar") returned 4 [0093.027] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0093.027] lstrlenW (lpString=".bz2") returned 4 [0093.027] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0093.027] lstrlenW (lpString=".7z") returned 3 [0093.027] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0093.027] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.027] lstrlenW (lpString=".dbf") returned 4 [0093.027] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0093.027] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.027] lstrlenW (lpString=".1cd") returned 4 [0093.027] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0093.027] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0093.027] lstrlenW (lpString=".jpg") returned 4 [0093.027] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0093.028] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.028] lstrlenW (lpString="DissolveAnother.png") returned 19 [0093.028] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0093.279] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x299ff1c | out: lpFileSize=0x299ff1c*=27935) returned 1 [0093.280] CloseHandle (hObject=0x1d8) returned 1 [0093.280] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png")) returned 0x20 [0093.280] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.280] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.280] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.280] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.280] lstrlenW (lpString=".doc") returned 4 [0093.280] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.280] lstrlenW (lpString=".docx") returned 5 [0093.280] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0093.280] lstrlenW (lpString=".pdf") returned 4 [0093.280] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.280] lstrlenW (lpString=".xls") returned 4 [0093.280] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.280] lstrlenW (lpString=".xlsx") returned 5 [0093.280] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0093.280] lstrlenW (lpString=".ppt") returned 4 [0093.280] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.280] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString=".zip") returned 4 [0093.281] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.281] lstrlenW (lpString=".rar") returned 4 [0093.281] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.281] lstrlenW (lpString=".bz2") returned 4 [0093.281] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString=".7z") returned 3 [0093.281] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.281] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString=".dbf") returned 4 [0093.281] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString=".1cd") returned 4 [0093.281] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString=".jpg") returned 4 [0093.281] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.281] lstrlenW (lpString=".doc") returned 4 [0093.281] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString=".docx") returned 5 [0093.281] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0093.281] lstrlenW (lpString=".pdf") returned 4 [0093.281] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.281] lstrlenW (lpString=".xls") returned 4 [0093.282] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.282] lstrlenW (lpString=".xlsx") returned 5 [0093.282] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0093.282] lstrlenW (lpString=".ppt") returned 4 [0093.282] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.282] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.282] lstrlenW (lpString=".zip") returned 4 [0093.282] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.282] lstrlenW (lpString=".rar") returned 4 [0093.282] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.282] lstrlenW (lpString=".bz2") returned 4 [0093.282] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.282] lstrlenW (lpString=".7z") returned 3 [0093.282] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.282] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.282] lstrlenW (lpString=".dbf") returned 4 [0093.282] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.282] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.282] lstrlenW (lpString=".1cd") returned 4 [0093.282] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.282] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0093.282] lstrlenW (lpString=".jpg") returned 4 [0093.282] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.282] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.283] lstrlenW (lpString="highlight.png") returned 13 [0093.283] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 10 os_tid = 0x67c [0066.896] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x2e7c38 [0066.897] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x2f7c40 [0066.897] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298bb0 [0066.897] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x27a388 [0066.897] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298bf8 [0066.897] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x2fb0020 [0066.898] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c40 [0066.898] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c40, Size=0x20) returned 0x2df448 [0066.898] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c40 [0066.898] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c40, Size=0x20) returned 0x2df3a8 [0066.898] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.898] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.898] Wow64DisableWow64FsRedirection (in: OldValue=0x2adff58 | out: OldValue=0x2adff58*=0x0) returned 1 [0066.898] lstrlenW (lpString="kernel32.dll") returned 12 [0066.898] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df448 | out: hHeap=0x240000) returned 1 [0066.898] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.898] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df3a8 | out: hHeap=0x240000) returned 1 [0066.898] Sleep (dwMilliseconds=0x64) [0067.052] Sleep (dwMilliseconds=0x64) [0067.507] lstrcmpiW (lpString1=".BAK", lpString2=".mnbzr") returned -1 [0067.507] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0067.507] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0067.959] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=8192) returned 1 [0067.959] CloseHandle (hObject=0x1e0) returned 1 [0067.959] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0067.959] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\bootsect.bak.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.959] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0067.960] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0067.960] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.960] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0067.960] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\bootsect.bak.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0068.001] GetLastError () returned 0x0 [0068.001] ReadFile (in: hFile=0x1e0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x2000, lpOverlapped=0x0) returned 1 [0068.101] WriteFile (in: hFile=0x1e4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x2010, lpOverlapped=0x0) returned 1 [0068.103] ReadFile (in: hFile=0x1e0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0068.103] WriteFile (in: hFile=0x1e4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0068.103] SetEndOfFile (hFile=0x1e4) returned 1 [0068.103] CloseHandle (hObject=0x1e4) returned 1 [0068.105] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0068.105] SetEndOfFile (hFile=0x1e0) returned 1 [0068.106] CloseHandle (hObject=0x1e0) returned 1 [0068.106] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x27) returned 1 [0068.107] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0068.107] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.107] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.107] lstrlenW (lpString=".doc") returned 4 [0068.107] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString=".docx") returned 5 [0068.107] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0068.107] lstrlenW (lpString=".pdf") returned 4 [0068.107] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString=".xls") returned 4 [0068.107] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString=".xlsx") returned 5 [0068.107] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0068.107] lstrlenW (lpString=".ppt") returned 4 [0068.107] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.107] lstrlenW (lpString=".zip") returned 4 [0068.107] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString=".rar") returned 4 [0068.107] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0068.107] lstrlenW (lpString=".bz2") returned 4 [0068.108] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString=".7z") returned 3 [0068.108] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0068.108] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.108] lstrlenW (lpString=".dbf") returned 4 [0068.108] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.108] lstrlenW (lpString=".1cd") returned 4 [0068.108] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0068.108] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.108] lstrlenW (lpString=".jpg") returned 4 [0068.108] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.108] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.108] lstrlenW (lpString=".doc") returned 4 [0068.108] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString=".docx") returned 5 [0068.108] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0068.108] lstrlenW (lpString=".pdf") returned 4 [0068.108] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString=".xls") returned 4 [0068.108] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0068.108] lstrlenW (lpString=".xlsx") returned 5 [0068.108] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0068.108] lstrlenW (lpString=".ppt") returned 4 [0068.109] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0068.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.109] lstrlenW (lpString=".zip") returned 4 [0068.109] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0068.109] lstrlenW (lpString=".rar") returned 4 [0068.109] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0068.109] lstrlenW (lpString=".bz2") returned 4 [0068.109] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0068.109] lstrlenW (lpString=".7z") returned 3 [0068.109] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0068.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.109] lstrlenW (lpString=".dbf") returned 4 [0068.109] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0068.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.109] lstrlenW (lpString=".1cd") returned 4 [0068.109] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0068.109] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0068.109] lstrlenW (lpString=".jpg") returned 4 [0068.109] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0068.109] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.109] lstrlenW (lpString="Setup.xml") returned 9 [0068.109] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0068.110] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1852) returned 1 [0068.110] CloseHandle (hObject=0x1e0) returned 1 [0068.110] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0068.110] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.110] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0068.110] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0068.110] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0068.110] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0068.111] GetLastError () returned 0x0 [0068.111] ReadFile (in: hFile=0x1e0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x73c, lpOverlapped=0x0) returned 1 [0069.299] WriteFile (in: hFile=0x1e4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x740, lpOverlapped=0x0) returned 1 [0069.300] ReadFile (in: hFile=0x1e0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0069.300] WriteFile (in: hFile=0x1e4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0069.300] SetEndOfFile (hFile=0x1e4) returned 1 [0069.300] CloseHandle (hObject=0x1e4) returned 1 [0069.301] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.301] SetEndOfFile (hFile=0x1e0) returned 1 [0069.302] CloseHandle (hObject=0x1e0) returned 1 [0069.309] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.310] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0069.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.310] lstrlenW (lpString=".doc") returned 4 [0069.310] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.310] lstrlenW (lpString=".docx") returned 5 [0069.310] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.310] lstrlenW (lpString=".pdf") returned 4 [0069.310] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.310] lstrlenW (lpString=".xls") returned 4 [0069.310] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.310] lstrlenW (lpString=".xlsx") returned 5 [0069.310] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.310] lstrlenW (lpString=".ppt") returned 4 [0069.310] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString=".zip") returned 4 [0069.311] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.311] lstrlenW (lpString=".rar") returned 4 [0069.311] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString=".bz2") returned 4 [0069.311] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString=".7z") returned 3 [0069.311] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString=".dbf") returned 4 [0069.311] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString=".1cd") returned 4 [0069.311] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString=".jpg") returned 4 [0069.311] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.311] lstrlenW (lpString=".doc") returned 4 [0069.311] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString=".docx") returned 5 [0069.311] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.311] lstrlenW (lpString=".pdf") returned 4 [0069.311] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString=".xls") returned 4 [0069.311] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.311] lstrlenW (lpString=".xlsx") returned 5 [0069.311] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.311] lstrlenW (lpString=".ppt") returned 4 [0069.311] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.312] lstrlenW (lpString=".zip") returned 4 [0069.312] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.312] lstrlenW (lpString=".rar") returned 4 [0069.312] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.312] lstrlenW (lpString=".bz2") returned 4 [0069.312] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.312] lstrlenW (lpString=".7z") returned 3 [0069.312] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.312] lstrlenW (lpString=".dbf") returned 4 [0069.312] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.312] lstrlenW (lpString=".1cd") returned 4 [0069.312] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.312] lstrlenW (lpString=".jpg") returned 4 [0069.312] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.312] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.312] lstrlenW (lpString="Setup.xml") returned 9 [0069.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.607] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1452) returned 1 [0069.607] CloseHandle (hObject=0x208) returned 1 [0069.607] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0069.607] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.608] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.608] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.608] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.608] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.608] GetLastError () returned 0x0 [0069.608] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x5ac, lpOverlapped=0x0) returned 1 [0069.653] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0069.654] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0069.654] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0069.655] SetEndOfFile (hFile=0x20c) returned 1 [0069.655] CloseHandle (hObject=0x20c) returned 1 [0069.656] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.656] SetEndOfFile (hFile=0x208) returned 1 [0069.656] CloseHandle (hObject=0x208) returned 1 [0069.656] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.657] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0069.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.657] lstrlenW (lpString=".doc") returned 4 [0069.657] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.657] lstrlenW (lpString=".docx") returned 5 [0069.657] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.657] lstrlenW (lpString=".pdf") returned 4 [0069.657] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.657] lstrlenW (lpString=".xls") returned 4 [0069.657] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.657] lstrlenW (lpString=".xlsx") returned 5 [0069.657] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.657] lstrlenW (lpString=".ppt") returned 4 [0069.657] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.657] lstrlenW (lpString=".zip") returned 4 [0069.657] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.657] lstrlenW (lpString=".rar") returned 4 [0069.657] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString=".bz2") returned 4 [0069.658] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString=".7z") returned 3 [0069.658] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString=".dbf") returned 4 [0069.658] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString=".1cd") returned 4 [0069.658] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString=".jpg") returned 4 [0069.658] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString=".doc") returned 4 [0069.658] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString=".docx") returned 5 [0069.658] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.658] lstrlenW (lpString=".pdf") returned 4 [0069.658] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString=".xls") returned 4 [0069.658] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString=".xlsx") returned 5 [0069.658] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.658] lstrlenW (lpString=".ppt") returned 4 [0069.658] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.658] lstrlenW (lpString=".zip") returned 4 [0069.658] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.658] lstrlenW (lpString=".rar") returned 4 [0069.658] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.659] lstrlenW (lpString=".bz2") returned 4 [0069.659] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.659] lstrlenW (lpString=".7z") returned 3 [0069.659] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.659] lstrlenW (lpString=".dbf") returned 4 [0069.659] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.659] lstrlenW (lpString=".1cd") returned 4 [0069.659] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.659] lstrlenW (lpString=".jpg") returned 4 [0069.659] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.659] lstrcmpiW (lpString1=".chm", lpString2=".mnbzr") returned -1 [0069.659] lstrlenW (lpString="setup.chm") returned 9 [0069.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.670] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=67190) returned 1 [0069.670] CloseHandle (hObject=0x208) returned 1 [0069.670] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0069.670] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.670] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.670] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.671] GetLastError () returned 0x0 [0069.671] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x10676, lpOverlapped=0x0) returned 1 [0069.718] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x10680, lpOverlapped=0x0) returned 1 [0069.720] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0069.720] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0069.720] SetEndOfFile (hFile=0x20c) returned 1 [0069.720] CloseHandle (hObject=0x20c) returned 1 [0069.721] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.722] SetEndOfFile (hFile=0x208) returned 1 [0069.723] CloseHandle (hObject=0x208) returned 1 [0069.723] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.723] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0069.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.724] lstrlenW (lpString=".doc") returned 4 [0069.724] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString=".docx") returned 5 [0069.724] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0069.724] lstrlenW (lpString=".pdf") returned 4 [0069.724] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString=".xls") returned 4 [0069.724] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString=".xlsx") returned 5 [0069.724] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0069.724] lstrlenW (lpString=".ppt") returned 4 [0069.724] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.724] lstrlenW (lpString=".zip") returned 4 [0069.724] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString=".rar") returned 4 [0069.724] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0069.724] lstrlenW (lpString=".bz2") returned 4 [0069.724] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0069.724] lstrlenW (lpString=".7z") returned 3 [0069.724] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0069.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.724] lstrlenW (lpString=".dbf") returned 4 [0069.724] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString=".1cd") returned 4 [0069.725] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString=".jpg") returned 4 [0069.725] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString=".doc") returned 4 [0069.725] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString=".docx") returned 5 [0069.725] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0069.725] lstrlenW (lpString=".pdf") returned 4 [0069.725] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString=".xls") returned 4 [0069.725] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString=".xlsx") returned 5 [0069.725] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0069.725] lstrlenW (lpString=".ppt") returned 4 [0069.725] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString=".zip") returned 4 [0069.725] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString=".rar") returned 4 [0069.725] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0069.725] lstrlenW (lpString=".bz2") returned 4 [0069.725] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0069.725] lstrlenW (lpString=".7z") returned 3 [0069.725] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0069.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.725] lstrlenW (lpString=".dbf") returned 4 [0069.725] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0069.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.726] lstrlenW (lpString=".1cd") returned 4 [0069.726] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0069.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0069.726] lstrlenW (lpString=".jpg") returned 4 [0069.726] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0069.726] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.726] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0069.726] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.726] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=819) returned 1 [0069.726] CloseHandle (hObject=0x208) returned 1 [0069.727] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0069.727] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.727] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0069.727] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.727] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.727] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0069.727] GetLastError () returned 0x0 [0069.728] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x333, lpOverlapped=0x0) returned 1 [0070.622] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x340, lpOverlapped=0x0) returned 1 [0070.623] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0070.623] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0070.623] SetEndOfFile (hFile=0x20c) returned 1 [0070.623] CloseHandle (hObject=0x20c) returned 1 [0070.626] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.626] SetEndOfFile (hFile=0x208) returned 1 [0070.627] CloseHandle (hObject=0x208) returned 1 [0070.627] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.628] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0070.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.628] lstrlenW (lpString=".doc") returned 4 [0070.628] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.628] lstrlenW (lpString=".docx") returned 5 [0070.628] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0070.628] lstrlenW (lpString=".pdf") returned 4 [0070.628] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.628] lstrlenW (lpString=".xls") returned 4 [0070.628] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.628] lstrlenW (lpString=".xlsx") returned 5 [0070.628] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0070.628] lstrlenW (lpString=".ppt") returned 4 [0070.629] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString=".zip") returned 4 [0070.629] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.629] lstrlenW (lpString=".rar") returned 4 [0070.629] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString=".bz2") returned 4 [0070.629] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString=".7z") returned 3 [0070.629] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString=".dbf") returned 4 [0070.629] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString=".1cd") returned 4 [0070.629] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString=".jpg") returned 4 [0070.629] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.629] lstrlenW (lpString=".doc") returned 4 [0070.629] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.629] lstrlenW (lpString=".docx") returned 5 [0070.629] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0070.629] lstrlenW (lpString=".pdf") returned 4 [0070.629] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString=".xls") returned 4 [0070.630] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString=".xlsx") returned 5 [0070.630] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0070.630] lstrlenW (lpString=".ppt") returned 4 [0070.630] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.630] lstrlenW (lpString=".zip") returned 4 [0070.630] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.630] lstrlenW (lpString=".rar") returned 4 [0070.630] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString=".bz2") returned 4 [0070.630] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString=".7z") returned 3 [0070.630] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.630] lstrlenW (lpString=".dbf") returned 4 [0070.630] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.630] lstrlenW (lpString=".1cd") returned 4 [0070.630] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0070.630] lstrlenW (lpString=".jpg") returned 4 [0070.630] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.630] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.631] lstrlenW (lpString="Setup.xml") returned 9 [0070.631] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0070.632] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=31094) returned 1 [0070.632] CloseHandle (hObject=0x208) returned 1 [0070.633] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0070.633] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0070.633] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.633] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0070.633] GetLastError () returned 0x0 [0070.633] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x7976, lpOverlapped=0x0) returned 1 [0070.731] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x7980, lpOverlapped=0x0) returned 1 [0070.733] ReadFile (in: hFile=0x208, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0070.733] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0070.733] SetEndOfFile (hFile=0x20c) returned 1 [0070.733] CloseHandle (hObject=0x20c) returned 1 [0070.747] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.747] SetEndOfFile (hFile=0x208) returned 1 [0070.748] CloseHandle (hObject=0x208) returned 1 [0070.748] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.748] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0070.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.749] lstrlenW (lpString=".doc") returned 4 [0070.749] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.749] lstrlenW (lpString=".docx") returned 5 [0070.749] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.749] lstrlenW (lpString=".pdf") returned 4 [0070.749] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.749] lstrlenW (lpString=".xls") returned 4 [0070.749] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.749] lstrlenW (lpString=".xlsx") returned 5 [0070.749] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.749] lstrlenW (lpString=".ppt") returned 4 [0070.749] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.749] lstrlenW (lpString=".zip") returned 4 [0070.749] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.749] lstrlenW (lpString=".rar") returned 4 [0070.749] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.749] lstrlenW (lpString=".bz2") returned 4 [0070.749] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString=".7z") returned 3 [0070.750] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.750] lstrlenW (lpString=".dbf") returned 4 [0070.750] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.750] lstrlenW (lpString=".1cd") returned 4 [0070.750] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.750] lstrlenW (lpString=".jpg") returned 4 [0070.750] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.750] lstrlenW (lpString=".doc") returned 4 [0070.750] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString=".docx") returned 5 [0070.750] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.750] lstrlenW (lpString=".pdf") returned 4 [0070.750] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString=".xls") returned 4 [0070.750] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString=".xlsx") returned 5 [0070.750] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.750] lstrlenW (lpString=".ppt") returned 4 [0070.750] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.751] lstrlenW (lpString=".zip") returned 4 [0070.751] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.751] lstrlenW (lpString=".rar") returned 4 [0070.751] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.751] lstrlenW (lpString=".bz2") returned 4 [0070.751] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.751] lstrlenW (lpString=".7z") returned 3 [0070.751] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.751] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.751] lstrlenW (lpString=".dbf") returned 4 [0070.751] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.751] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.751] lstrlenW (lpString=".1cd") returned 4 [0070.751] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.751] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.751] lstrlenW (lpString=".jpg") returned 4 [0070.751] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.751] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.751] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0070.751] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.936] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=6421) returned 1 [0070.952] CloseHandle (hObject=0x1d4) returned 1 [0070.952] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0070.960] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.961] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.961] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.961] GetLastError () returned 0x0 [0070.961] ReadFile (in: hFile=0x1d4, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x1915, lpOverlapped=0x0) returned 1 [0070.971] WriteFile (in: hFile=0x164, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x1920, lpOverlapped=0x0) returned 1 [0070.973] ReadFile (in: hFile=0x1d4, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0070.974] WriteFile (in: hFile=0x164, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xee, lpOverlapped=0x0) returned 1 [0070.974] SetEndOfFile (hFile=0x164) returned 1 [0070.974] CloseHandle (hObject=0x164) returned 1 [0070.976] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.976] SetEndOfFile (hFile=0x1d4) returned 1 [0070.977] CloseHandle (hObject=0x1d4) returned 1 [0070.978] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.978] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0070.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.978] lstrlenW (lpString=".doc") returned 4 [0070.978] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.978] lstrlenW (lpString=".docx") returned 5 [0070.979] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.979] lstrlenW (lpString=".pdf") returned 4 [0070.979] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString=".xls") returned 4 [0070.979] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString=".xlsx") returned 5 [0070.979] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.979] lstrlenW (lpString=".ppt") returned 4 [0070.979] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.979] lstrlenW (lpString=".zip") returned 4 [0070.979] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.979] lstrlenW (lpString=".rar") returned 4 [0070.979] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString=".bz2") returned 4 [0070.979] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString=".7z") returned 3 [0070.979] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.979] lstrlenW (lpString=".dbf") returned 4 [0070.979] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.979] lstrlenW (lpString=".1cd") returned 4 [0070.979] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.979] lstrlenW (lpString=".jpg") returned 4 [0070.980] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.980] lstrlenW (lpString=".doc") returned 4 [0070.980] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString=".docx") returned 5 [0070.980] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.980] lstrlenW (lpString=".pdf") returned 4 [0070.980] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString=".xls") returned 4 [0070.980] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString=".xlsx") returned 5 [0070.980] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.980] lstrlenW (lpString=".ppt") returned 4 [0070.980] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.980] lstrlenW (lpString=".zip") returned 4 [0070.980] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.980] lstrlenW (lpString=".rar") returned 4 [0070.980] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString=".bz2") returned 4 [0070.980] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.980] lstrlenW (lpString=".7z") returned 3 [0070.981] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.981] lstrlenW (lpString=".dbf") returned 4 [0070.981] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.981] lstrlenW (lpString=".1cd") returned 4 [0070.981] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0070.981] lstrlenW (lpString=".jpg") returned 4 [0070.981] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.981] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.981] lstrlenW (lpString="Setup.xml") returned 9 [0070.981] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.982] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=20577) returned 1 [0070.982] CloseHandle (hObject=0x1d4) returned 1 [0070.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0070.982] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0070.982] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.982] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0070.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.983] GetLastError () returned 0x0 [0070.983] ReadFile (in: hFile=0x1d4, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x5061, lpOverlapped=0x0) returned 1 [0071.083] WriteFile (in: hFile=0x164, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x5070, lpOverlapped=0x0) returned 1 [0071.085] ReadFile (in: hFile=0x1d4, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0071.085] WriteFile (in: hFile=0x164, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0071.085] SetEndOfFile (hFile=0x164) returned 1 [0071.085] CloseHandle (hObject=0x164) returned 1 [0071.093] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0071.093] SetEndOfFile (hFile=0x1d4) returned 1 [0071.095] CloseHandle (hObject=0x1d4) returned 1 [0071.095] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.095] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0071.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.492] lstrlenW (lpString=".doc") returned 4 [0071.492] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.492] lstrlenW (lpString=".docx") returned 5 [0071.492] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0071.492] lstrlenW (lpString=".pdf") returned 4 [0071.492] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.492] lstrlenW (lpString=".xls") returned 4 [0071.492] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.492] lstrlenW (lpString=".xlsx") returned 5 [0071.492] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0071.492] lstrlenW (lpString=".ppt") returned 4 [0071.492] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.492] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.492] lstrlenW (lpString=".zip") returned 4 [0071.492] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.492] lstrlenW (lpString=".rar") returned 4 [0071.492] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".bz2") returned 4 [0071.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".7z") returned 3 [0071.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString=".dbf") returned 4 [0071.493] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString=".1cd") returned 4 [0071.493] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString=".jpg") returned 4 [0071.493] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString=".doc") returned 4 [0071.493] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".docx") returned 5 [0071.493] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0071.493] lstrlenW (lpString=".pdf") returned 4 [0071.493] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".xls") returned 4 [0071.493] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".xlsx") returned 5 [0071.493] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0071.493] lstrlenW (lpString=".ppt") returned 4 [0071.493] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.493] lstrlenW (lpString=".zip") returned 4 [0071.493] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.493] lstrlenW (lpString=".rar") returned 4 [0071.493] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".bz2") returned 4 [0071.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.493] lstrlenW (lpString=".7z") returned 3 [0071.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.494] lstrlenW (lpString=".dbf") returned 4 [0071.494] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.494] lstrlenW (lpString=".1cd") returned 4 [0071.494] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.494] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0071.494] lstrlenW (lpString=".jpg") returned 4 [0071.494] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.494] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0071.494] lstrlenW (lpString="Content.xml") returned 11 [0071.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0072.504] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=27045) returned 1 [0072.504] CloseHandle (hObject=0x204) returned 1 [0072.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0072.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.504] lstrlenW (lpString=".doc") returned 4 [0072.505] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString=".docx") returned 5 [0072.505] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0072.505] lstrlenW (lpString=".pdf") returned 4 [0072.505] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString=".xls") returned 4 [0072.505] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString=".xlsx") returned 5 [0072.505] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0072.505] lstrlenW (lpString=".ppt") returned 4 [0072.505] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.505] lstrlenW (lpString=".zip") returned 4 [0072.505] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.505] lstrlenW (lpString=".rar") returned 4 [0072.505] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString=".bz2") returned 4 [0072.505] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString=".7z") returned 3 [0072.505] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.505] lstrlenW (lpString=".dbf") returned 4 [0072.505] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.505] lstrlenW (lpString=".1cd") returned 4 [0072.505] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.506] lstrlenW (lpString=".jpg") returned 4 [0072.506] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.506] lstrlenW (lpString=".doc") returned 4 [0072.506] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString=".docx") returned 5 [0072.506] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0072.506] lstrlenW (lpString=".pdf") returned 4 [0072.506] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString=".xls") returned 4 [0072.506] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString=".xlsx") returned 5 [0072.506] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0072.506] lstrlenW (lpString=".ppt") returned 4 [0072.506] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.506] lstrlenW (lpString=".zip") returned 4 [0072.506] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.506] lstrlenW (lpString=".rar") returned 4 [0072.506] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString=".bz2") returned 4 [0072.506] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.506] lstrlenW (lpString=".7z") returned 3 [0072.506] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.506] lstrlenW (lpString=".dbf") returned 4 [0072.507] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.507] lstrlenW (lpString=".1cd") returned 4 [0072.507] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0072.507] lstrlenW (lpString=".jpg") returned 4 [0072.507] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.507] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.507] lstrlenW (lpString="keypad.xml") returned 10 [0072.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.881] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=727) returned 1 [0072.881] CloseHandle (hObject=0x1cc) returned 1 [0072.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0072.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.881] lstrlenW (lpString=".doc") returned 4 [0072.881] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.881] lstrlenW (lpString=".docx") returned 5 [0072.881] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.881] lstrlenW (lpString=".pdf") returned 4 [0072.881] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.881] lstrlenW (lpString=".xls") returned 4 [0072.881] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.881] lstrlenW (lpString=".xlsx") returned 5 [0072.882] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.882] lstrlenW (lpString=".ppt") returned 4 [0072.882] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString=".zip") returned 4 [0072.882] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.882] lstrlenW (lpString=".rar") returned 4 [0072.882] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString=".bz2") returned 4 [0072.882] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString=".7z") returned 3 [0072.882] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString=".dbf") returned 4 [0072.882] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString=".1cd") returned 4 [0072.882] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString=".jpg") returned 4 [0072.882] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.882] lstrlenW (lpString=".doc") returned 4 [0072.882] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString=".docx") returned 5 [0072.882] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.882] lstrlenW (lpString=".pdf") returned 4 [0072.882] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString=".xls") returned 4 [0072.882] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.882] lstrlenW (lpString=".xlsx") returned 5 [0072.882] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.883] lstrlenW (lpString=".ppt") returned 4 [0072.883] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.883] lstrlenW (lpString=".zip") returned 4 [0072.883] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.883] lstrlenW (lpString=".rar") returned 4 [0072.883] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.883] lstrlenW (lpString=".bz2") returned 4 [0072.883] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.883] lstrlenW (lpString=".7z") returned 3 [0072.883] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.883] lstrlenW (lpString=".dbf") returned 4 [0072.883] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.883] lstrlenW (lpString=".1cd") returned 4 [0072.883] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0072.883] lstrlenW (lpString=".jpg") returned 4 [0072.883] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.883] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.883] lstrlenW (lpString="oskmenubase.xml") returned 15 [0072.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.884] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=471) returned 1 [0072.884] CloseHandle (hObject=0x1cc) returned 1 [0072.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0072.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.885] lstrlenW (lpString=".doc") returned 4 [0072.885] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.885] lstrlenW (lpString=".docx") returned 5 [0072.885] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.885] lstrlenW (lpString=".pdf") returned 4 [0072.885] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.885] lstrlenW (lpString=".xls") returned 4 [0072.885] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.885] lstrlenW (lpString=".xlsx") returned 5 [0072.885] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.885] lstrlenW (lpString=".ppt") returned 4 [0072.885] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.885] lstrlenW (lpString=".zip") returned 4 [0072.885] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.885] lstrlenW (lpString=".rar") returned 4 [0072.885] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.885] lstrlenW (lpString=".bz2") returned 4 [0072.885] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString=".7z") returned 3 [0072.886] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString=".dbf") returned 4 [0072.886] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString=".1cd") returned 4 [0072.886] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString=".jpg") returned 4 [0072.886] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString=".doc") returned 4 [0072.886] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString=".docx") returned 5 [0072.886] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.886] lstrlenW (lpString=".pdf") returned 4 [0072.886] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString=".xls") returned 4 [0072.886] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString=".xlsx") returned 5 [0072.886] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.886] lstrlenW (lpString=".ppt") returned 4 [0072.886] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.886] lstrlenW (lpString=".zip") returned 4 [0072.887] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.887] lstrlenW (lpString=".rar") returned 4 [0072.887] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.887] lstrlenW (lpString=".bz2") returned 4 [0072.887] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.887] lstrlenW (lpString=".7z") returned 3 [0072.887] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.887] lstrlenW (lpString=".dbf") returned 4 [0072.887] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.887] lstrlenW (lpString=".1cd") returned 4 [0072.887] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0072.887] lstrlenW (lpString=".jpg") returned 4 [0072.887] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.887] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.887] lstrlenW (lpString="oskmenu.xml") returned 11 [0072.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.888] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=215) returned 1 [0072.888] CloseHandle (hObject=0x1cc) returned 1 [0072.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0072.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.888] lstrlenW (lpString=".doc") returned 4 [0072.888] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.888] lstrlenW (lpString=".docx") returned 5 [0072.888] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0072.888] lstrlenW (lpString=".pdf") returned 4 [0072.888] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.888] lstrlenW (lpString=".xls") returned 4 [0072.888] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.888] lstrlenW (lpString=".xlsx") returned 5 [0072.888] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0072.888] lstrlenW (lpString=".ppt") returned 4 [0072.888] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.888] lstrlenW (lpString=".zip") returned 4 [0072.888] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.888] lstrlenW (lpString=".rar") returned 4 [0072.888] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".bz2") returned 4 [0072.889] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".7z") returned 3 [0072.889] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString=".dbf") returned 4 [0072.889] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString=".1cd") returned 4 [0072.889] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString=".jpg") returned 4 [0072.889] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString=".doc") returned 4 [0072.889] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".docx") returned 5 [0072.889] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0072.889] lstrlenW (lpString=".pdf") returned 4 [0072.889] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".xls") returned 4 [0072.889] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".xlsx") returned 5 [0072.889] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0072.889] lstrlenW (lpString=".ppt") returned 4 [0072.889] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.889] lstrlenW (lpString=".zip") returned 4 [0072.889] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.889] lstrlenW (lpString=".rar") returned 4 [0072.889] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".bz2") returned 4 [0072.889] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.889] lstrlenW (lpString=".7z") returned 3 [0072.890] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.890] lstrlenW (lpString=".dbf") returned 4 [0072.890] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.890] lstrlenW (lpString=".1cd") returned 4 [0072.890] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0072.890] lstrlenW (lpString=".jpg") returned 4 [0072.890] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.890] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.890] lstrlenW (lpString="osknumpadbase.xml") returned 17 [0072.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.890] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1437) returned 1 [0072.890] CloseHandle (hObject=0x1cc) returned 1 [0072.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0072.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.891] lstrlenW (lpString=".doc") returned 4 [0072.891] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString=".docx") returned 5 [0072.891] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.891] lstrlenW (lpString=".pdf") returned 4 [0072.891] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString=".xls") returned 4 [0072.891] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString=".xlsx") returned 5 [0072.891] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.891] lstrlenW (lpString=".ppt") returned 4 [0072.891] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.891] lstrlenW (lpString=".zip") returned 4 [0072.891] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.891] lstrlenW (lpString=".rar") returned 4 [0072.891] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString=".bz2") returned 4 [0072.891] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.891] lstrlenW (lpString=".7z") returned 3 [0072.891] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".dbf") returned 4 [0072.892] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".1cd") returned 4 [0072.892] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".jpg") returned 4 [0072.892] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".doc") returned 4 [0072.892] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString=".docx") returned 5 [0072.892] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.892] lstrlenW (lpString=".pdf") returned 4 [0072.892] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString=".xls") returned 4 [0072.892] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString=".xlsx") returned 5 [0072.892] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.892] lstrlenW (lpString=".ppt") returned 4 [0072.892] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".zip") returned 4 [0072.892] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.892] lstrlenW (lpString=".rar") returned 4 [0072.892] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString=".bz2") returned 4 [0072.892] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.892] lstrlenW (lpString=".7z") returned 3 [0072.892] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.892] lstrlenW (lpString=".dbf") returned 4 [0072.893] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.893] lstrlenW (lpString=".1cd") returned 4 [0072.893] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0072.893] lstrlenW (lpString=".jpg") returned 4 [0072.893] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.893] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.893] lstrlenW (lpString="osknumpad.xml") returned 13 [0072.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.894] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=219) returned 1 [0072.894] CloseHandle (hObject=0x1cc) returned 1 [0072.894] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0072.894] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.894] lstrlenW (lpString=".doc") returned 4 [0072.894] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.894] lstrlenW (lpString=".docx") returned 5 [0072.894] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.894] lstrlenW (lpString=".pdf") returned 4 [0072.894] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.894] lstrlenW (lpString=".xls") returned 4 [0072.894] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.894] lstrlenW (lpString=".xlsx") returned 5 [0072.895] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.895] lstrlenW (lpString=".ppt") returned 4 [0072.895] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString=".zip") returned 4 [0072.895] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.895] lstrlenW (lpString=".rar") returned 4 [0072.895] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString=".bz2") returned 4 [0072.895] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString=".7z") returned 3 [0072.895] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString=".dbf") returned 4 [0072.895] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString=".1cd") returned 4 [0072.895] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString=".jpg") returned 4 [0072.895] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.895] lstrlenW (lpString=".doc") returned 4 [0072.895] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString=".docx") returned 5 [0072.895] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.895] lstrlenW (lpString=".pdf") returned 4 [0072.895] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString=".xls") returned 4 [0072.895] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString=".xlsx") returned 5 [0072.895] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.895] lstrlenW (lpString=".ppt") returned 4 [0072.895] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.896] lstrlenW (lpString=".zip") returned 4 [0072.896] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.896] lstrlenW (lpString=".rar") returned 4 [0072.896] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.896] lstrlenW (lpString=".bz2") returned 4 [0072.896] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.896] lstrlenW (lpString=".7z") returned 3 [0072.896] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.896] lstrlenW (lpString=".dbf") returned 4 [0072.896] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.896] lstrlenW (lpString=".1cd") returned 4 [0072.896] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0072.896] lstrlenW (lpString=".jpg") returned 4 [0072.896] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.896] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.896] lstrlenW (lpString="oskpredbase.xml") returned 15 [0072.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.897] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=924) returned 1 [0072.897] CloseHandle (hObject=0x1cc) returned 1 [0072.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0072.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0072.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0072.897] lstrlenW (lpString=".doc") returned 4 [0072.897] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString=".docx") returned 5 [0072.898] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.898] lstrlenW (lpString=".pdf") returned 4 [0072.898] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString=".xls") returned 4 [0072.898] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString=".xlsx") returned 5 [0072.898] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.898] lstrlenW (lpString=".ppt") returned 4 [0072.898] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0072.898] lstrlenW (lpString=".zip") returned 4 [0072.898] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.898] lstrlenW (lpString=".rar") returned 4 [0072.898] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString=".bz2") returned 4 [0072.898] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.898] lstrlenW (lpString=".7z") returned 3 [0072.898] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0072.898] lstrlenW (lpString=".dbf") returned 4 [0072.898] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.904] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0072.904] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0072.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0072.905] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0072.919] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0072.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0072.920] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc6c | out: lpNewFilePointer=0x0) returned 1 [0072.920] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc2c | out: lpNewFilePointer=0x0) returned 1 [0072.920] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2adfc38, lpOverlapped=0x0 | out: lpBuffer=0x2fb0058*, lpNumberOfBytesRead=0x2adfc38*=0x40000, lpOverlapped=0x0) returned 1 [0073.161] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc2c | out: lpNewFilePointer=0x0) returned 1 [0073.161] ReadFile (in: hFile=0x1cc, lpBuffer=0x2ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2adfc38, lpOverlapped=0x0 | out: lpBuffer=0x2ff0058*, lpNumberOfBytesRead=0x2adfc38*=0x40000, lpOverlapped=0x0) returned 1 [0073.178] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2adfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0073.178] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc2c | out: lpNewFilePointer=0x0) returned 1 [0073.178] ReadFile (in: hFile=0x1cc, lpBuffer=0x3030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2adfc38, lpOverlapped=0x0 | out: lpBuffer=0x3030058*, lpNumberOfBytesRead=0x2adfc38*=0x40000, lpOverlapped=0x0) returned 1 [0073.204] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0073.204] WriteFile (in: hFile=0x1cc, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2adfcb0, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0073.599] SetEndOfFile (hFile=0x1cc) returned 1 [0073.600] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0073.735] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc7c | out: lpNewFilePointer=0x0) returned 1 [0073.735] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2adfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x2adfc88*=0x40000, lpOverlapped=0x0) returned 1 [0073.738] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc7c | out: lpNewFilePointer=0x0) returned 1 [0073.738] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2adfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x2adfc88*=0x40000, lpOverlapped=0x0) returned 1 [0073.741] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2adfc7c | out: lpNewFilePointer=0x0) returned 1 [0073.741] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2adfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x2adfc88*=0x40000, lpOverlapped=0x0) returned 1 [0073.744] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0073.744] CloseHandle (hObject=0x1cc) returned 1 [0074.576] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.577] lstrlenW (lpString=".doc") returned 4 [0074.577] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString=".docx") returned 5 [0074.577] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0074.577] lstrlenW (lpString=".pdf") returned 4 [0074.577] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString=".xls") returned 4 [0074.577] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString=".xlsx") returned 5 [0074.577] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0074.577] lstrlenW (lpString=".ppt") returned 4 [0074.577] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.577] lstrlenW (lpString=".zip") returned 4 [0074.577] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString=".rar") returned 4 [0074.577] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.577] lstrlenW (lpString=".bz2") returned 4 [0074.577] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.577] lstrlenW (lpString=".7z") returned 3 [0074.577] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.577] lstrlenW (lpString=".dbf") returned 4 [0074.578] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".1cd") returned 4 [0074.578] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".jpg") returned 4 [0074.578] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".doc") returned 4 [0074.578] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString=".docx") returned 5 [0074.578] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0074.578] lstrlenW (lpString=".pdf") returned 4 [0074.578] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString=".xls") returned 4 [0074.578] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString=".xlsx") returned 5 [0074.578] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0074.578] lstrlenW (lpString=".ppt") returned 4 [0074.578] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".zip") returned 4 [0074.578] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString=".rar") returned 4 [0074.578] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString=".bz2") returned 4 [0074.578] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.578] lstrlenW (lpString=".7z") returned 3 [0074.578] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".dbf") returned 4 [0074.578] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.578] lstrlenW (lpString=".1cd") returned 4 [0074.579] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0074.579] lstrlenW (lpString=".jpg") returned 4 [0074.579] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.579] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0074.579] lstrlenW (lpString="SETUP.XML") returned 9 [0074.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0074.650] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=9352) returned 1 [0074.650] CloseHandle (hObject=0x204) returned 1 [0074.650] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0074.650] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0074.650] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0074.651] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0074.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0074.651] GetLastError () returned 0x0 [0074.651] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x2488, lpOverlapped=0x0) returned 1 [0075.340] WriteFile (in: hFile=0x1cc, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x2490, lpOverlapped=0x0) returned 1 [0075.341] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0075.341] WriteFile (in: hFile=0x1cc, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0075.341] SetEndOfFile (hFile=0x1cc) returned 1 [0075.341] CloseHandle (hObject=0x1cc) returned 1 [0075.345] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.345] SetEndOfFile (hFile=0x204) returned 1 [0075.346] CloseHandle (hObject=0x204) returned 1 [0075.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.346] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString=".doc") returned 4 [0075.347] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString=".docx") returned 5 [0075.347] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.347] lstrlenW (lpString=".pdf") returned 4 [0075.347] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString=".xls") returned 4 [0075.347] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString=".xlsx") returned 5 [0075.347] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.347] lstrlenW (lpString=".ppt") returned 4 [0075.347] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString=".zip") returned 4 [0075.347] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.347] lstrlenW (lpString=".rar") returned 4 [0075.347] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString=".bz2") returned 4 [0075.347] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString=".7z") returned 3 [0075.347] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString=".dbf") returned 4 [0075.347] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString=".1cd") returned 4 [0075.347] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.347] lstrlenW (lpString=".jpg") returned 4 [0075.347] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString=".doc") returned 4 [0075.348] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString=".docx") returned 5 [0075.348] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.348] lstrlenW (lpString=".pdf") returned 4 [0075.348] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString=".xls") returned 4 [0075.348] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString=".xlsx") returned 5 [0075.348] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.348] lstrlenW (lpString=".ppt") returned 4 [0075.348] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString=".zip") returned 4 [0075.348] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.348] lstrlenW (lpString=".rar") returned 4 [0075.348] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString=".bz2") returned 4 [0075.348] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString=".7z") returned 3 [0075.348] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString=".dbf") returned 4 [0075.348] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString=".1cd") returned 4 [0075.348] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0075.348] lstrlenW (lpString=".jpg") returned 4 [0075.348] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.349] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.349] lstrlenW (lpString="Office32WW.XML") returned 14 [0075.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0075.349] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=4274) returned 1 [0075.349] CloseHandle (hObject=0x204) returned 1 [0075.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0075.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0075.349] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.349] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0075.350] GetLastError () returned 0x0 [0075.350] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x10b2, lpOverlapped=0x0) returned 1 [0075.424] WriteFile (in: hFile=0x1cc, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0075.425] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0075.425] WriteFile (in: hFile=0x1cc, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0075.425] SetEndOfFile (hFile=0x1cc) returned 1 [0075.426] CloseHandle (hObject=0x1cc) returned 1 [0075.427] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.427] SetEndOfFile (hFile=0x204) returned 1 [0075.428] CloseHandle (hObject=0x204) returned 1 [0075.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.428] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0075.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.429] lstrlenW (lpString=".doc") returned 4 [0075.429] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString=".docx") returned 5 [0075.429] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0075.429] lstrlenW (lpString=".pdf") returned 4 [0075.429] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString=".xls") returned 4 [0075.429] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString=".xlsx") returned 5 [0075.429] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0075.429] lstrlenW (lpString=".ppt") returned 4 [0075.429] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.429] lstrlenW (lpString=".zip") returned 4 [0075.429] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.429] lstrlenW (lpString=".rar") returned 4 [0075.429] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString=".bz2") returned 4 [0075.429] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString=".7z") returned 3 [0075.429] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.429] lstrlenW (lpString=".dbf") returned 4 [0075.429] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.429] lstrlenW (lpString=".1cd") returned 4 [0075.430] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString=".jpg") returned 4 [0075.430] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString=".doc") returned 4 [0075.430] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString=".docx") returned 5 [0075.430] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0075.430] lstrlenW (lpString=".pdf") returned 4 [0075.430] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString=".xls") returned 4 [0075.430] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString=".xlsx") returned 5 [0075.430] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0075.430] lstrlenW (lpString=".ppt") returned 4 [0075.430] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString=".zip") returned 4 [0075.430] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.430] lstrlenW (lpString=".rar") returned 4 [0075.430] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString=".bz2") returned 4 [0075.430] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString=".7z") returned 3 [0075.430] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString=".dbf") returned 4 [0075.430] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.430] lstrlenW (lpString=".1cd") returned 4 [0075.431] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0075.431] lstrlenW (lpString=".jpg") returned 4 [0075.431] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.431] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.431] lstrlenW (lpString="SETUP.XML") returned 9 [0075.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0075.753] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1988) returned 1 [0075.753] CloseHandle (hObject=0x20c) returned 1 [0075.753] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0075.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0075.754] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.754] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0075.754] GetLastError () returned 0x0 [0075.754] ReadFile (in: hFile=0x20c, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x7c4, lpOverlapped=0x0) returned 1 [0075.809] WriteFile (in: hFile=0x210, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0075.810] ReadFile (in: hFile=0x20c, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0075.810] WriteFile (in: hFile=0x210, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0075.810] SetEndOfFile (hFile=0x210) returned 1 [0075.810] CloseHandle (hObject=0x210) returned 1 [0075.811] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.811] SetEndOfFile (hFile=0x20c) returned 1 [0075.812] CloseHandle (hObject=0x20c) returned 1 [0075.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.813] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0075.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.813] lstrlenW (lpString=".doc") returned 4 [0075.813] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.813] lstrlenW (lpString=".docx") returned 5 [0075.813] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.813] lstrlenW (lpString=".pdf") returned 4 [0075.813] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.813] lstrlenW (lpString=".xls") returned 4 [0075.813] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.813] lstrlenW (lpString=".xlsx") returned 5 [0075.813] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.813] lstrlenW (lpString=".ppt") returned 4 [0075.813] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString=".zip") returned 4 [0075.814] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.814] lstrlenW (lpString=".rar") returned 4 [0075.814] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString=".bz2") returned 4 [0075.814] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString=".7z") returned 3 [0075.814] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString=".dbf") returned 4 [0075.814] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString=".1cd") returned 4 [0075.814] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString=".jpg") returned 4 [0075.814] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.814] lstrlenW (lpString=".doc") returned 4 [0075.814] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString=".docx") returned 5 [0075.814] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.814] lstrlenW (lpString=".pdf") returned 4 [0075.814] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.814] lstrlenW (lpString=".xls") returned 4 [0075.815] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString=".xlsx") returned 5 [0075.815] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.815] lstrlenW (lpString=".ppt") returned 4 [0075.815] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.815] lstrlenW (lpString=".zip") returned 4 [0075.815] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.815] lstrlenW (lpString=".rar") returned 4 [0075.815] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString=".bz2") returned 4 [0075.815] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString=".7z") returned 3 [0075.815] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.815] lstrlenW (lpString=".dbf") returned 4 [0075.815] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.815] lstrlenW (lpString=".1cd") returned 4 [0075.815] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0075.815] lstrlenW (lpString=".jpg") returned 4 [0075.815] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.895] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.895] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0075.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0076.076] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=6421) returned 1 [0076.076] CloseHandle (hObject=0x1ec) returned 1 [0076.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0076.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0076.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0076.077] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0076.077] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0076.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0076.077] GetLastError () returned 0x0 [0076.077] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x1915, lpOverlapped=0x0) returned 1 [0077.470] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x1920, lpOverlapped=0x0) returned 1 [0077.471] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0077.471] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xee, lpOverlapped=0x0) returned 1 [0077.471] SetEndOfFile (hFile=0x208) returned 1 [0077.773] CloseHandle (hObject=0x208) returned 1 [0077.774] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.774] SetEndOfFile (hFile=0x1ec) returned 1 [0077.775] CloseHandle (hObject=0x1ec) returned 1 [0077.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.775] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0077.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.776] lstrlenW (lpString=".doc") returned 4 [0077.776] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString=".docx") returned 5 [0077.776] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0077.776] lstrlenW (lpString=".pdf") returned 4 [0077.776] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString=".xls") returned 4 [0077.776] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString=".xlsx") returned 5 [0077.776] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0077.776] lstrlenW (lpString=".ppt") returned 4 [0077.776] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.776] lstrlenW (lpString=".zip") returned 4 [0077.776] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.776] lstrlenW (lpString=".rar") returned 4 [0077.776] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString=".bz2") returned 4 [0077.776] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.776] lstrlenW (lpString=".7z") returned 3 [0077.776] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.776] lstrlenW (lpString=".dbf") returned 4 [0077.777] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString=".1cd") returned 4 [0077.777] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString=".jpg") returned 4 [0077.777] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString=".doc") returned 4 [0077.777] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString=".docx") returned 5 [0077.777] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0077.777] lstrlenW (lpString=".pdf") returned 4 [0077.777] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString=".xls") returned 4 [0077.777] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString=".xlsx") returned 5 [0077.777] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0077.777] lstrlenW (lpString=".ppt") returned 4 [0077.777] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString=".zip") returned 4 [0077.777] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.777] lstrlenW (lpString=".rar") returned 4 [0077.777] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString=".bz2") returned 4 [0077.777] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.777] lstrlenW (lpString=".7z") returned 3 [0077.777] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.777] lstrlenW (lpString=".dbf") returned 4 [0077.778] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.778] lstrlenW (lpString=".1cd") returned 4 [0077.778] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0077.778] lstrlenW (lpString=".jpg") returned 4 [0077.778] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.778] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.778] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0077.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0077.778] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1452) returned 1 [0077.778] CloseHandle (hObject=0x1ec) returned 1 [0077.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0077.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0077.779] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.779] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0077.781] GetLastError () returned 0x0 [0077.781] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x5ac, lpOverlapped=0x0) returned 1 [0077.785] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0077.786] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0077.786] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0077.786] SetEndOfFile (hFile=0x208) returned 1 [0077.786] CloseHandle (hObject=0x208) returned 1 [0077.795] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.795] SetEndOfFile (hFile=0x1ec) returned 1 [0077.796] CloseHandle (hObject=0x1ec) returned 1 [0077.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.796] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0077.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.796] lstrlenW (lpString=".doc") returned 4 [0077.796] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.796] lstrlenW (lpString=".docx") returned 5 [0077.796] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0077.796] lstrlenW (lpString=".pdf") returned 4 [0077.796] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.796] lstrlenW (lpString=".xls") returned 4 [0077.796] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.796] lstrlenW (lpString=".xlsx") returned 5 [0077.796] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0077.797] lstrlenW (lpString=".ppt") returned 4 [0077.797] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString=".zip") returned 4 [0077.797] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.797] lstrlenW (lpString=".rar") returned 4 [0077.797] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString=".bz2") returned 4 [0077.797] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString=".7z") returned 3 [0077.797] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString=".dbf") returned 4 [0077.797] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString=".1cd") returned 4 [0077.797] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString=".jpg") returned 4 [0077.797] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.797] lstrlenW (lpString=".doc") returned 4 [0077.797] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.797] lstrlenW (lpString=".docx") returned 5 [0077.797] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0077.797] lstrlenW (lpString=".pdf") returned 4 [0077.797] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString=".xls") returned 4 [0077.798] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString=".xlsx") returned 5 [0077.798] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0077.798] lstrlenW (lpString=".ppt") returned 4 [0077.798] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.798] lstrlenW (lpString=".zip") returned 4 [0077.798] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.798] lstrlenW (lpString=".rar") returned 4 [0077.798] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString=".bz2") returned 4 [0077.798] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString=".7z") returned 3 [0077.798] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.798] lstrlenW (lpString=".dbf") returned 4 [0077.798] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.798] lstrlenW (lpString=".1cd") returned 4 [0077.798] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0077.798] lstrlenW (lpString=".jpg") returned 4 [0077.798] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.798] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.798] lstrlenW (lpString="SETUP.XML") returned 9 [0077.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0077.799] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1872) returned 1 [0077.799] CloseHandle (hObject=0x1ec) returned 1 [0077.799] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0077.799] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0077.799] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.799] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0077.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0077.799] GetLastError () returned 0x0 [0077.800] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x750, lpOverlapped=0x0) returned 1 [0077.844] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x760, lpOverlapped=0x0) returned 1 [0077.845] ReadFile (in: hFile=0x1ec, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0077.845] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.845] SetEndOfFile (hFile=0x208) returned 1 [0077.845] CloseHandle (hObject=0x208) returned 1 [0078.244] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.244] SetEndOfFile (hFile=0x1ec) returned 1 [0078.265] CloseHandle (hObject=0x1ec) returned 1 [0078.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.265] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0078.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.265] lstrlenW (lpString=".doc") returned 4 [0078.265] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.265] lstrlenW (lpString=".docx") returned 5 [0078.265] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.265] lstrlenW (lpString=".pdf") returned 4 [0078.265] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.265] lstrlenW (lpString=".xls") returned 4 [0078.265] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString=".xlsx") returned 5 [0078.266] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.266] lstrlenW (lpString=".ppt") returned 4 [0078.266] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString=".zip") returned 4 [0078.266] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.266] lstrlenW (lpString=".rar") returned 4 [0078.266] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString=".bz2") returned 4 [0078.266] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString=".7z") returned 3 [0078.266] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString=".dbf") returned 4 [0078.266] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString=".1cd") returned 4 [0078.266] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString=".jpg") returned 4 [0078.266] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.266] lstrlenW (lpString=".doc") returned 4 [0078.266] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString=".docx") returned 5 [0078.266] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.266] lstrlenW (lpString=".pdf") returned 4 [0078.266] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.266] lstrlenW (lpString=".xls") returned 4 [0078.267] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString=".xlsx") returned 5 [0078.267] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.267] lstrlenW (lpString=".ppt") returned 4 [0078.267] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.267] lstrlenW (lpString=".zip") returned 4 [0078.267] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.267] lstrlenW (lpString=".rar") returned 4 [0078.267] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString=".bz2") returned 4 [0078.267] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString=".7z") returned 3 [0078.267] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.267] lstrlenW (lpString=".dbf") returned 4 [0078.267] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.267] lstrlenW (lpString=".1cd") returned 4 [0078.267] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0078.267] lstrlenW (lpString=".jpg") returned 4 [0078.267] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.267] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.267] lstrlenW (lpString="SETUP.XML") returned 9 [0078.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0078.403] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1608) returned 1 [0078.403] CloseHandle (hObject=0x20c) returned 1 [0078.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0078.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0078.403] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.403] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.404] GetLastError () returned 0x0 [0078.404] ReadFile (in: hFile=0x20c, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x648, lpOverlapped=0x0) returned 1 [0078.410] WriteFile (in: hFile=0x1b8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x650, lpOverlapped=0x0) returned 1 [0078.414] ReadFile (in: hFile=0x20c, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0078.415] WriteFile (in: hFile=0x1b8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.415] SetEndOfFile (hFile=0x1b8) returned 1 [0078.415] CloseHandle (hObject=0x1b8) returned 1 [0078.416] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.416] SetEndOfFile (hFile=0x20c) returned 1 [0078.417] CloseHandle (hObject=0x20c) returned 1 [0078.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.418] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0078.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.418] lstrlenW (lpString=".doc") returned 4 [0078.418] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.418] lstrlenW (lpString=".docx") returned 5 [0078.418] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.418] lstrlenW (lpString=".pdf") returned 4 [0078.418] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.418] lstrlenW (lpString=".xls") returned 4 [0078.418] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.418] lstrlenW (lpString=".xlsx") returned 5 [0078.418] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.418] lstrlenW (lpString=".ppt") returned 4 [0078.418] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.418] lstrlenW (lpString=".zip") returned 4 [0078.418] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.418] lstrlenW (lpString=".rar") returned 4 [0078.418] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.418] lstrlenW (lpString=".bz2") returned 4 [0078.418] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString=".7z") returned 3 [0078.419] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString=".dbf") returned 4 [0078.419] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString=".1cd") returned 4 [0078.419] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString=".jpg") returned 4 [0078.419] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString=".doc") returned 4 [0078.419] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString=".docx") returned 5 [0078.419] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.419] lstrlenW (lpString=".pdf") returned 4 [0078.419] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString=".xls") returned 4 [0078.419] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString=".xlsx") returned 5 [0078.419] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.419] lstrlenW (lpString=".ppt") returned 4 [0078.419] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.419] lstrlenW (lpString=".zip") returned 4 [0078.420] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.420] lstrlenW (lpString=".rar") returned 4 [0078.420] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.420] lstrlenW (lpString=".bz2") returned 4 [0078.420] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.420] lstrlenW (lpString=".7z") returned 3 [0078.420] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.420] lstrlenW (lpString=".dbf") returned 4 [0078.420] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.420] lstrlenW (lpString=".1cd") returned 4 [0078.420] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.420] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0078.420] lstrlenW (lpString=".jpg") returned 4 [0078.420] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.420] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.420] lstrlenW (lpString="VisiorWW.XML") returned 12 [0078.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.913] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=8723) returned 1 [0078.913] CloseHandle (hObject=0x204) returned 1 [0078.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0078.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.913] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.913] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.914] GetLastError () returned 0x0 [0078.914] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x2213, lpOverlapped=0x0) returned 1 [0078.916] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x2220, lpOverlapped=0x0) returned 1 [0078.918] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0078.918] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0078.918] SetEndOfFile (hFile=0x208) returned 1 [0078.918] CloseHandle (hObject=0x208) returned 1 [0078.919] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.919] SetEndOfFile (hFile=0x204) returned 1 [0078.921] CloseHandle (hObject=0x204) returned 1 [0078.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.921] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0078.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.922] lstrlenW (lpString=".doc") returned 4 [0078.922] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString=".docx") returned 5 [0078.922] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0078.922] lstrlenW (lpString=".pdf") returned 4 [0078.922] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString=".xls") returned 4 [0078.922] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString=".xlsx") returned 5 [0078.922] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0078.922] lstrlenW (lpString=".ppt") returned 4 [0078.922] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.922] lstrlenW (lpString=".zip") returned 4 [0078.922] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.922] lstrlenW (lpString=".rar") returned 4 [0078.922] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString=".bz2") returned 4 [0078.922] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString=".7z") returned 3 [0078.922] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.922] lstrlenW (lpString=".dbf") returned 4 [0078.922] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.922] lstrlenW (lpString=".1cd") returned 4 [0078.922] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.923] lstrlenW (lpString=".jpg") returned 4 [0078.923] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.923] lstrlenW (lpString=".doc") returned 4 [0078.923] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString=".docx") returned 5 [0078.923] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0078.923] lstrlenW (lpString=".pdf") returned 4 [0078.923] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString=".xls") returned 4 [0078.923] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString=".xlsx") returned 5 [0078.923] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0078.923] lstrlenW (lpString=".ppt") returned 4 [0078.923] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.923] lstrlenW (lpString=".zip") returned 4 [0078.923] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.923] lstrlenW (lpString=".rar") returned 4 [0078.923] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString=".bz2") returned 4 [0078.923] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.923] lstrlenW (lpString=".7z") returned 3 [0078.923] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.924] lstrlenW (lpString=".dbf") returned 4 [0078.924] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.924] lstrlenW (lpString=".1cd") returned 4 [0078.924] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0078.924] lstrlenW (lpString=".jpg") returned 4 [0078.924] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.924] lstrcmpiW (lpString1=".HTM", lpString2=".mnbzr") returned -1 [0078.924] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0078.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.925] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=11463) returned 1 [0078.925] CloseHandle (hObject=0x204) returned 1 [0078.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0078.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.925] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.925] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.928] GetLastError () returned 0x0 [0078.928] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0078.930] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0078.931] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0078.931] WriteFile (in: hFile=0x208, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0078.931] SetEndOfFile (hFile=0x208) returned 1 [0078.931] CloseHandle (hObject=0x208) returned 1 [0078.932] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.933] SetEndOfFile (hFile=0x204) returned 1 [0078.934] CloseHandle (hObject=0x204) returned 1 [0078.934] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.934] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0078.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.934] lstrlenW (lpString=".doc") returned 4 [0078.934] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0078.934] lstrlenW (lpString=".docx") returned 5 [0078.934] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0078.935] lstrlenW (lpString=".pdf") returned 4 [0078.935] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString=".xls") returned 4 [0078.935] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString=".xlsx") returned 5 [0078.935] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0078.935] lstrlenW (lpString=".ppt") returned 4 [0078.935] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.935] lstrlenW (lpString=".zip") returned 4 [0078.935] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString=".rar") returned 4 [0078.935] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString=".bz2") returned 4 [0078.935] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0078.935] lstrlenW (lpString=".7z") returned 3 [0078.935] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0078.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.935] lstrlenW (lpString=".dbf") returned 4 [0078.935] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0078.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.935] lstrlenW (lpString=".1cd") returned 4 [0078.935] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0078.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.935] lstrlenW (lpString=".jpg") returned 4 [0078.935] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0078.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.936] lstrlenW (lpString=".doc") returned 4 [0078.936] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0078.936] lstrlenW (lpString=".docx") returned 5 [0078.936] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0078.936] lstrlenW (lpString=".pdf") returned 4 [0078.936] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0078.936] lstrlenW (lpString=".xls") returned 4 [0078.936] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0078.936] lstrlenW (lpString=".xlsx") returned 5 [0078.936] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0078.936] lstrlenW (lpString=".ppt") returned 4 [0078.936] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0078.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.936] lstrlenW (lpString=".zip") returned 4 [0078.936] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0078.936] lstrlenW (lpString=".rar") returned 4 [0078.936] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0078.936] lstrlenW (lpString=".bz2") returned 4 [0078.936] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0078.936] lstrlenW (lpString=".7z") returned 3 [0078.936] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0078.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.936] lstrlenW (lpString=".dbf") returned 4 [0078.936] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0078.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.936] lstrlenW (lpString=".1cd") returned 4 [0078.937] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0078.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0078.937] lstrlenW (lpString=".jpg") returned 4 [0078.937] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0078.937] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.937] lstrlenW (lpString="DATES.XML") returned 9 [0078.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.937] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=8918) returned 1 [0078.937] CloseHandle (hObject=0x204) returned 1 [0078.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0078.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.938] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.938] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0079.521] GetLastError () returned 0x0 [0079.521] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x22d6, lpOverlapped=0x0) returned 1 [0079.601] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0079.602] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0079.602] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0079.602] SetEndOfFile (hFile=0x1d4) returned 1 [0079.603] CloseHandle (hObject=0x1d4) returned 1 [0079.604] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.604] SetEndOfFile (hFile=0x204) returned 1 [0079.605] CloseHandle (hObject=0x204) returned 1 [0079.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.606] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0079.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.606] lstrlenW (lpString=".doc") returned 4 [0079.606] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.606] lstrlenW (lpString=".docx") returned 5 [0079.606] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0079.606] lstrlenW (lpString=".pdf") returned 4 [0079.606] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.606] lstrlenW (lpString=".xls") returned 4 [0079.606] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.606] lstrlenW (lpString=".xlsx") returned 5 [0079.606] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0079.606] lstrlenW (lpString=".ppt") returned 4 [0079.606] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.606] lstrlenW (lpString=".zip") returned 4 [0079.606] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.606] lstrlenW (lpString=".rar") returned 4 [0079.606] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString=".bz2") returned 4 [0079.607] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString=".7z") returned 3 [0079.607] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.607] lstrlenW (lpString=".dbf") returned 4 [0079.607] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.607] lstrlenW (lpString=".1cd") returned 4 [0079.607] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.607] lstrlenW (lpString=".jpg") returned 4 [0079.607] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.607] lstrlenW (lpString=".doc") returned 4 [0079.607] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString=".docx") returned 5 [0079.607] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0079.607] lstrlenW (lpString=".pdf") returned 4 [0079.607] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString=".xls") returned 4 [0079.607] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.607] lstrlenW (lpString=".xlsx") returned 5 [0079.607] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0079.607] lstrlenW (lpString=".ppt") returned 4 [0079.608] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.608] lstrlenW (lpString=".zip") returned 4 [0079.608] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.608] lstrlenW (lpString=".rar") returned 4 [0079.608] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.608] lstrlenW (lpString=".bz2") returned 4 [0079.608] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.608] lstrlenW (lpString=".7z") returned 3 [0079.608] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.608] lstrlenW (lpString=".dbf") returned 4 [0079.608] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.608] lstrlenW (lpString=".1cd") returned 4 [0079.608] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0079.608] lstrlenW (lpString=".jpg") returned 4 [0079.608] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.608] lstrcmpiW (lpString1=".DAT", lpString2=".mnbzr") returned -1 [0079.608] lstrlenW (lpString="STOCKS.DAT") returned 10 [0079.608] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.610] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=39017) returned 1 [0079.610] CloseHandle (hObject=0x204) returned 1 [0079.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0079.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.611] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.611] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0079.611] GetLastError () returned 0x0 [0079.611] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x9869, lpOverlapped=0x0) returned 1 [0079.631] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x9870, lpOverlapped=0x0) returned 1 [0079.635] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0079.635] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0079.635] SetEndOfFile (hFile=0x1d4) returned 1 [0079.636] CloseHandle (hObject=0x1d4) returned 1 [0079.637] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.637] SetEndOfFile (hFile=0x204) returned 1 [0079.647] CloseHandle (hObject=0x204) returned 1 [0079.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.647] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0079.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.648] lstrlenW (lpString=".doc") returned 4 [0079.648] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString=".docx") returned 5 [0079.648] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0079.648] lstrlenW (lpString=".pdf") returned 4 [0079.648] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString=".xls") returned 4 [0079.648] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString=".xlsx") returned 5 [0079.648] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0079.648] lstrlenW (lpString=".ppt") returned 4 [0079.648] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.648] lstrlenW (lpString=".zip") returned 4 [0079.648] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString=".rar") returned 4 [0079.648] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString=".bz2") returned 4 [0079.648] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0079.648] lstrlenW (lpString=".7z") returned 3 [0079.648] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0079.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.648] lstrlenW (lpString=".dbf") returned 4 [0079.648] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0079.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.649] lstrlenW (lpString=".1cd") returned 4 [0079.649] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0079.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.649] lstrlenW (lpString=".jpg") returned 4 [0079.649] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.649] lstrlenW (lpString=".doc") returned 4 [0079.649] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString=".docx") returned 5 [0079.649] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0079.649] lstrlenW (lpString=".pdf") returned 4 [0079.649] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString=".xls") returned 4 [0079.649] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString=".xlsx") returned 5 [0079.649] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0079.649] lstrlenW (lpString=".ppt") returned 4 [0079.649] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.649] lstrlenW (lpString=".zip") returned 4 [0079.649] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString=".rar") returned 4 [0079.649] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0079.649] lstrlenW (lpString=".bz2") returned 4 [0079.649] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0079.649] lstrlenW (lpString=".7z") returned 3 [0079.650] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0079.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.650] lstrlenW (lpString=".dbf") returned 4 [0079.650] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0079.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.650] lstrlenW (lpString=".1cd") returned 4 [0079.650] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0079.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0079.650] lstrlenW (lpString=".jpg") returned 4 [0079.650] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0079.650] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0079.650] lstrlenW (lpString="STOCKS.XML") returned 10 [0079.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.651] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=2687) returned 1 [0079.651] CloseHandle (hObject=0x204) returned 1 [0079.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0079.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0079.651] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.651] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0079.651] GetLastError () returned 0x0 [0079.652] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xa7f, lpOverlapped=0x0) returned 1 [0079.910] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xa80, lpOverlapped=0x0) returned 1 [0079.912] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0079.912] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0079.913] SetEndOfFile (hFile=0x1d4) returned 1 [0079.913] CloseHandle (hObject=0x1d4) returned 1 [0079.914] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.914] SetEndOfFile (hFile=0x204) returned 1 [0079.915] CloseHandle (hObject=0x204) returned 1 [0079.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.915] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0079.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.916] lstrlenW (lpString=".doc") returned 4 [0079.916] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString=".docx") returned 5 [0079.916] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0079.916] lstrlenW (lpString=".pdf") returned 4 [0079.916] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString=".xls") returned 4 [0079.916] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString=".xlsx") returned 5 [0079.916] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0079.916] lstrlenW (lpString=".ppt") returned 4 [0079.916] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.916] lstrlenW (lpString=".zip") returned 4 [0079.916] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.916] lstrlenW (lpString=".rar") returned 4 [0079.916] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString=".bz2") returned 4 [0079.916] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString=".7z") returned 3 [0079.916] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.916] lstrlenW (lpString=".dbf") returned 4 [0079.916] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.917] lstrlenW (lpString=".1cd") returned 4 [0079.917] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.917] lstrlenW (lpString=".jpg") returned 4 [0079.917] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.917] lstrlenW (lpString=".doc") returned 4 [0079.917] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString=".docx") returned 5 [0079.917] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0079.917] lstrlenW (lpString=".pdf") returned 4 [0079.917] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString=".xls") returned 4 [0079.917] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString=".xlsx") returned 5 [0079.917] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0079.917] lstrlenW (lpString=".ppt") returned 4 [0079.917] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.917] lstrlenW (lpString=".zip") returned 4 [0079.917] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.917] lstrlenW (lpString=".rar") returned 4 [0079.917] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString=".bz2") returned 4 [0079.917] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.917] lstrlenW (lpString=".7z") returned 3 [0079.918] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.918] lstrlenW (lpString=".dbf") returned 4 [0079.918] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.918] lstrlenW (lpString=".1cd") returned 4 [0079.918] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0079.918] lstrlenW (lpString=".jpg") returned 4 [0079.918] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0080.076] lstrcmpiW (lpString1=".emf", lpString2=".mnbzr") returned -1 [0080.076] lstrlenW (lpString="Genko_2.emf") returned 11 [0080.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.535] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=10340) returned 1 [0082.535] CloseHandle (hObject=0x204) returned 1 [0082.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0082.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.535] lstrlenW (lpString=".doc") returned 4 [0082.535] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0082.536] lstrlenW (lpString=".docx") returned 5 [0082.536] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0082.536] lstrlenW (lpString=".pdf") returned 4 [0082.536] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0082.536] lstrlenW (lpString=".xls") returned 4 [0082.536] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0082.536] lstrlenW (lpString=".xlsx") returned 5 [0082.536] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0082.536] lstrlenW (lpString=".ppt") returned 4 [0082.536] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0082.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.536] lstrlenW (lpString=".zip") returned 4 [0082.536] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0082.536] lstrlenW (lpString=".rar") returned 4 [0082.536] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0082.536] lstrlenW (lpString=".bz2") returned 4 [0082.536] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0082.536] lstrlenW (lpString=".7z") returned 3 [0082.536] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0082.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.536] lstrlenW (lpString=".dbf") returned 4 [0082.536] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0082.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.536] lstrlenW (lpString=".1cd") returned 4 [0082.536] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0082.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.536] lstrlenW (lpString=".jpg") returned 4 [0082.536] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.537] lstrlenW (lpString=".doc") returned 4 [0082.537] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0082.537] lstrlenW (lpString=".docx") returned 5 [0082.537] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0082.537] lstrlenW (lpString=".pdf") returned 4 [0082.537] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString=".xls") returned 4 [0082.537] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString=".xlsx") returned 5 [0082.537] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0082.537] lstrlenW (lpString=".ppt") returned 4 [0082.537] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.537] lstrlenW (lpString=".zip") returned 4 [0082.537] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString=".rar") returned 4 [0082.537] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0082.537] lstrlenW (lpString=".bz2") returned 4 [0082.537] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0082.537] lstrlenW (lpString=".7z") returned 3 [0082.537] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0082.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.537] lstrlenW (lpString=".dbf") returned 4 [0082.537] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0082.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.537] lstrlenW (lpString=".1cd") returned 4 [0082.538] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0082.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0082.538] lstrlenW (lpString=".jpg") returned 4 [0082.538] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0082.538] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0082.538] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0082.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0082.887] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=2985) returned 1 [0082.887] CloseHandle (hObject=0x1d0) returned 1 [0082.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0082.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0082.887] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0082.887] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0082.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.709] GetLastError () returned 0x0 [0083.709] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xba9, lpOverlapped=0x0) returned 1 [0083.720] WriteFile (in: hFile=0x1d8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0083.721] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0083.721] WriteFile (in: hFile=0x1d8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0083.721] SetEndOfFile (hFile=0x1d8) returned 1 [0083.721] CloseHandle (hObject=0x1d8) returned 1 [0083.721] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.721] SetEndOfFile (hFile=0x1d0) returned 1 [0083.722] CloseHandle (hObject=0x1d0) returned 1 [0083.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.723] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0083.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.723] lstrlenW (lpString=".doc") returned 4 [0083.723] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.723] lstrlenW (lpString=".docx") returned 5 [0083.723] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.723] lstrlenW (lpString=".pdf") returned 4 [0083.723] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.723] lstrlenW (lpString=".xls") returned 4 [0083.723] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.723] lstrlenW (lpString=".xlsx") returned 5 [0083.723] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.723] lstrlenW (lpString=".ppt") returned 4 [0083.723] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.723] lstrlenW (lpString=".zip") returned 4 [0083.723] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.723] lstrlenW (lpString=".rar") returned 4 [0083.724] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.724] lstrlenW (lpString=".bz2") returned 4 [0083.724] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.724] lstrlenW (lpString=".7z") returned 3 [0083.724] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.724] lstrlenW (lpString=".dbf") returned 4 [0083.724] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.724] lstrlenW (lpString=".1cd") returned 4 [0083.724] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.724] lstrlenW (lpString=".jpg") returned 4 [0083.724] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.724] lstrlenW (lpString=".doc") returned 4 [0083.724] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.724] lstrlenW (lpString=".docx") returned 5 [0083.724] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.724] lstrlenW (lpString=".pdf") returned 4 [0083.724] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.724] lstrlenW (lpString=".xls") returned 4 [0083.724] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.724] lstrlenW (lpString=".xlsx") returned 5 [0083.724] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.725] lstrlenW (lpString=".ppt") returned 4 [0083.725] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.725] lstrlenW (lpString=".zip") returned 4 [0083.725] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.725] lstrlenW (lpString=".rar") returned 4 [0083.725] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.725] lstrlenW (lpString=".bz2") returned 4 [0083.725] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.725] lstrlenW (lpString=".7z") returned 3 [0083.725] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.725] lstrlenW (lpString=".dbf") returned 4 [0083.725] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.725] lstrlenW (lpString=".1cd") returned 4 [0083.725] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0083.725] lstrlenW (lpString=".jpg") returned 4 [0083.725] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.725] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0083.725] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0083.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.726] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=20627) returned 1 [0083.726] CloseHandle (hObject=0x1d0) returned 1 [0083.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0083.726] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.727] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.727] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.727] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0083.740] GetLastError () returned 0x0 [0083.740] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x5093, lpOverlapped=0x0) returned 1 [0083.762] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0083.766] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0083.766] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0083.766] SetEndOfFile (hFile=0x1e8) returned 1 [0083.766] CloseHandle (hObject=0x1e8) returned 1 [0083.766] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.766] SetEndOfFile (hFile=0x1d0) returned 1 [0083.767] CloseHandle (hObject=0x1d0) returned 1 [0083.767] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.767] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.768] lstrlenW (lpString=".doc") returned 4 [0083.768] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.768] lstrlenW (lpString=".docx") returned 5 [0083.768] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.768] lstrlenW (lpString=".pdf") returned 4 [0083.768] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.768] lstrlenW (lpString=".xls") returned 4 [0083.768] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.768] lstrlenW (lpString=".xlsx") returned 5 [0083.768] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.768] lstrlenW (lpString=".ppt") returned 4 [0083.768] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.768] lstrlenW (lpString=".zip") returned 4 [0083.768] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.768] lstrlenW (lpString=".rar") returned 4 [0083.768] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.768] lstrlenW (lpString=".bz2") returned 4 [0083.768] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.768] lstrlenW (lpString=".7z") returned 3 [0083.768] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.768] lstrlenW (lpString=".dbf") returned 4 [0083.768] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.768] lstrlenW (lpString=".1cd") returned 4 [0083.768] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString=".jpg") returned 4 [0083.769] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString=".doc") returned 4 [0083.769] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString=".docx") returned 5 [0083.769] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.769] lstrlenW (lpString=".pdf") returned 4 [0083.769] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString=".xls") returned 4 [0083.769] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.769] lstrlenW (lpString=".xlsx") returned 5 [0083.769] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.769] lstrlenW (lpString=".ppt") returned 4 [0083.769] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString=".zip") returned 4 [0083.769] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.769] lstrlenW (lpString=".rar") returned 4 [0083.769] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.769] lstrlenW (lpString=".bz2") returned 4 [0083.769] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString=".7z") returned 3 [0083.769] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString=".dbf") returned 4 [0083.769] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.769] lstrlenW (lpString=".1cd") returned 4 [0083.769] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0083.770] lstrlenW (lpString=".jpg") returned 4 [0083.770] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.770] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0083.770] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0083.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.773] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=27407) returned 1 [0083.773] CloseHandle (hObject=0x1d0) returned 1 [0083.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0083.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.773] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.773] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0083.774] GetLastError () returned 0x0 [0083.774] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0083.776] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0083.777] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0083.778] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0083.778] SetEndOfFile (hFile=0x1e8) returned 1 [0083.778] CloseHandle (hObject=0x1e8) returned 1 [0083.778] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.778] SetEndOfFile (hFile=0x1d0) returned 1 [0083.779] CloseHandle (hObject=0x1d0) returned 1 [0083.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.779] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0083.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.780] lstrlenW (lpString=".doc") returned 4 [0083.780] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.780] lstrlenW (lpString=".docx") returned 5 [0083.780] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.780] lstrlenW (lpString=".pdf") returned 4 [0083.780] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.780] lstrlenW (lpString=".xls") returned 4 [0083.780] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.780] lstrlenW (lpString=".xlsx") returned 5 [0083.780] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.780] lstrlenW (lpString=".ppt") returned 4 [0083.780] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.780] lstrlenW (lpString=".zip") returned 4 [0083.780] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.780] lstrlenW (lpString=".rar") returned 4 [0083.780] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.780] lstrlenW (lpString=".bz2") returned 4 [0083.780] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.780] lstrlenW (lpString=".7z") returned 3 [0083.780] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.780] lstrlenW (lpString=".dbf") returned 4 [0083.781] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString=".1cd") returned 4 [0083.781] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString=".jpg") returned 4 [0083.781] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString=".doc") returned 4 [0083.781] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString=".docx") returned 5 [0083.781] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.781] lstrlenW (lpString=".pdf") returned 4 [0083.781] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString=".xls") returned 4 [0083.781] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.781] lstrlenW (lpString=".xlsx") returned 5 [0083.781] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.781] lstrlenW (lpString=".ppt") returned 4 [0083.781] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString=".zip") returned 4 [0083.781] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.781] lstrlenW (lpString=".rar") returned 4 [0083.781] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.781] lstrlenW (lpString=".bz2") returned 4 [0083.781] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.781] lstrlenW (lpString=".7z") returned 3 [0083.781] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.781] lstrlenW (lpString=".dbf") returned 4 [0083.781] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.782] lstrlenW (lpString=".1cd") returned 4 [0083.782] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0083.782] lstrlenW (lpString=".jpg") returned 4 [0083.782] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.782] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0083.782] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0083.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.782] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=3479) returned 1 [0083.782] CloseHandle (hObject=0x1d0) returned 1 [0083.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0083.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0083.783] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.783] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0084.092] GetLastError () returned 0x0 [0084.092] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xd97, lpOverlapped=0x0) returned 1 [0084.104] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xda0, lpOverlapped=0x0) returned 1 [0084.105] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0084.105] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.105] SetEndOfFile (hFile=0x1d4) returned 1 [0084.105] CloseHandle (hObject=0x1d4) returned 1 [0084.105] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.105] SetEndOfFile (hFile=0x1d0) returned 1 [0084.106] CloseHandle (hObject=0x1d0) returned 1 [0084.107] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.107] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0084.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.107] lstrlenW (lpString=".doc") returned 4 [0084.107] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.107] lstrlenW (lpString=".docx") returned 5 [0084.107] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.107] lstrlenW (lpString=".pdf") returned 4 [0084.108] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString=".xls") returned 4 [0084.108] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString=".xlsx") returned 5 [0084.108] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.108] lstrlenW (lpString=".ppt") returned 4 [0084.108] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString=".zip") returned 4 [0084.108] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString=".rar") returned 4 [0084.108] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString=".bz2") returned 4 [0084.108] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.108] lstrlenW (lpString=".7z") returned 3 [0084.108] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString=".dbf") returned 4 [0084.108] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString=".1cd") returned 4 [0084.108] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString=".jpg") returned 4 [0084.108] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.108] lstrlenW (lpString=".doc") returned 4 [0084.108] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.109] lstrlenW (lpString=".docx") returned 5 [0084.109] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.109] lstrlenW (lpString=".pdf") returned 4 [0084.109] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.109] lstrlenW (lpString=".xls") returned 4 [0084.109] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.109] lstrlenW (lpString=".xlsx") returned 5 [0084.109] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.109] lstrlenW (lpString=".ppt") returned 4 [0084.109] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.109] lstrlenW (lpString=".zip") returned 4 [0084.109] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.109] lstrlenW (lpString=".rar") returned 4 [0084.109] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.109] lstrlenW (lpString=".bz2") returned 4 [0084.109] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.109] lstrlenW (lpString=".7z") returned 3 [0084.109] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.109] lstrlenW (lpString=".dbf") returned 4 [0084.109] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.109] lstrlenW (lpString=".1cd") returned 4 [0084.109] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0084.109] lstrlenW (lpString=".jpg") returned 4 [0084.109] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.110] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0084.110] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0084.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.110] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=945) returned 1 [0084.110] CloseHandle (hObject=0x1d0) returned 1 [0084.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0084.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.111] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.111] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0084.113] GetLastError () returned 0x0 [0084.113] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x3b1, lpOverlapped=0x0) returned 1 [0084.115] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0084.117] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0084.117] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.117] SetEndOfFile (hFile=0x1d4) returned 1 [0084.117] CloseHandle (hObject=0x1d4) returned 1 [0084.117] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.117] SetEndOfFile (hFile=0x1d0) returned 1 [0084.118] CloseHandle (hObject=0x1d0) returned 1 [0084.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.118] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0084.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.119] lstrlenW (lpString=".doc") returned 4 [0084.119] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.119] lstrlenW (lpString=".docx") returned 5 [0084.119] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.119] lstrlenW (lpString=".pdf") returned 4 [0084.119] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.119] lstrlenW (lpString=".xls") returned 4 [0084.119] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.119] lstrlenW (lpString=".xlsx") returned 5 [0084.119] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.119] lstrlenW (lpString=".ppt") returned 4 [0084.119] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.119] lstrlenW (lpString=".zip") returned 4 [0084.119] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.119] lstrlenW (lpString=".rar") returned 4 [0084.119] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.119] lstrlenW (lpString=".bz2") returned 4 [0084.119] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.119] lstrlenW (lpString=".7z") returned 3 [0084.119] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.119] lstrlenW (lpString=".dbf") returned 4 [0084.119] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.119] lstrlenW (lpString=".1cd") returned 4 [0084.119] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString=".jpg") returned 4 [0084.120] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString=".doc") returned 4 [0084.120] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.120] lstrlenW (lpString=".docx") returned 5 [0084.120] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.120] lstrlenW (lpString=".pdf") returned 4 [0084.120] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString=".xls") returned 4 [0084.120] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString=".xlsx") returned 5 [0084.120] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.120] lstrlenW (lpString=".ppt") returned 4 [0084.120] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString=".zip") returned 4 [0084.120] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString=".rar") returned 4 [0084.120] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.120] lstrlenW (lpString=".bz2") returned 4 [0084.120] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.120] lstrlenW (lpString=".7z") returned 3 [0084.120] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString=".dbf") returned 4 [0084.120] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.120] lstrlenW (lpString=".1cd") returned 4 [0084.120] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0084.121] lstrlenW (lpString=".jpg") returned 4 [0084.121] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.121] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0084.121] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0084.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.122] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=32607) returned 1 [0084.122] CloseHandle (hObject=0x1d0) returned 1 [0084.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0084.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.122] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.122] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0084.123] GetLastError () returned 0x0 [0084.123] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0084.126] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0084.127] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0084.128] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0084.128] SetEndOfFile (hFile=0x1d4) returned 1 [0084.128] CloseHandle (hObject=0x1d4) returned 1 [0084.128] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.128] SetEndOfFile (hFile=0x1d0) returned 1 [0084.129] CloseHandle (hObject=0x1d0) returned 1 [0084.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.129] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.130] lstrlenW (lpString=".doc") returned 4 [0084.130] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.130] lstrlenW (lpString=".docx") returned 5 [0084.130] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.130] lstrlenW (lpString=".pdf") returned 4 [0084.130] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.130] lstrlenW (lpString=".xls") returned 4 [0084.130] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.130] lstrlenW (lpString=".xlsx") returned 5 [0084.130] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.130] lstrlenW (lpString=".ppt") returned 4 [0084.130] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.130] lstrlenW (lpString=".zip") returned 4 [0084.130] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.130] lstrlenW (lpString=".rar") returned 4 [0084.130] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.130] lstrlenW (lpString=".bz2") returned 4 [0084.130] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.130] lstrlenW (lpString=".7z") returned 3 [0084.130] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.130] lstrlenW (lpString=".dbf") returned 4 [0084.130] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.130] lstrlenW (lpString=".1cd") returned 4 [0084.130] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString=".jpg") returned 4 [0084.131] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString=".doc") returned 4 [0084.131] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString=".docx") returned 5 [0084.131] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.131] lstrlenW (lpString=".pdf") returned 4 [0084.131] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString=".xls") returned 4 [0084.131] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.131] lstrlenW (lpString=".xlsx") returned 5 [0084.131] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.131] lstrlenW (lpString=".ppt") returned 4 [0084.131] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString=".zip") returned 4 [0084.131] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.131] lstrlenW (lpString=".rar") returned 4 [0084.131] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.131] lstrlenW (lpString=".bz2") returned 4 [0084.131] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString=".7z") returned 3 [0084.131] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString=".dbf") returned 4 [0084.131] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.131] lstrlenW (lpString=".1cd") returned 4 [0084.131] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0084.132] lstrlenW (lpString=".jpg") returned 4 [0084.132] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.132] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0084.132] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0084.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.133] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=2044) returned 1 [0084.133] CloseHandle (hObject=0x1d0) returned 1 [0084.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0084.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0084.133] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.133] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0084.135] GetLastError () returned 0x0 [0084.135] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x7fc, lpOverlapped=0x0) returned 1 [0084.580] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x800, lpOverlapped=0x0) returned 1 [0084.581] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0084.581] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.581] SetEndOfFile (hFile=0x1d4) returned 1 [0084.582] CloseHandle (hObject=0x1d4) returned 1 [0084.582] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0084.582] SetEndOfFile (hFile=0x1d0) returned 1 [0084.583] CloseHandle (hObject=0x1d0) returned 1 [0084.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.584] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0084.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0084.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0084.584] lstrlenW (lpString=".doc") returned 4 [0084.584] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.584] lstrlenW (lpString=".docx") returned 5 [0084.584] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.584] lstrlenW (lpString=".pdf") returned 4 [0084.584] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.584] lstrlenW (lpString=".xls") returned 4 [0084.584] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.584] lstrlenW (lpString=".xlsx") returned 5 [0084.584] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.584] lstrlenW (lpString=".ppt") returned 4 [0084.584] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0084.584] lstrlenW (lpString=".zip") returned 4 [0084.584] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.584] lstrlenW (lpString=".rar") returned 4 [0084.584] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.585] lstrlenW (lpString=".bz2") returned 4 [0085.181] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.181] lstrlenW (lpString=".7z") returned 3 [0085.181] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.181] lstrlenW (lpString=".dbf") returned 4 [0085.181] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.181] lstrlenW (lpString=".1cd") returned 4 [0085.181] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.181] lstrlenW (lpString=".jpg") returned 4 [0085.181] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.191] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.191] lstrlenW (lpString=".doc") returned 4 [0085.191] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.193] lstrlenW (lpString=".docx") returned 5 [0085.193] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.193] lstrlenW (lpString=".pdf") returned 4 [0085.193] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.201] lstrlenW (lpString=".xls") returned 4 [0085.201] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.201] lstrlenW (lpString=".xlsx") returned 5 [0085.201] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.201] lstrlenW (lpString=".ppt") returned 4 [0085.210] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.221] lstrlenW (lpString=".zip") returned 4 [0085.221] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.221] lstrlenW (lpString=".rar") returned 4 [0085.221] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.221] lstrlenW (lpString=".bz2") returned 4 [0085.221] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.221] lstrlenW (lpString=".7z") returned 3 [0085.221] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.221] lstrlenW (lpString=".dbf") returned 4 [0085.221] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.221] lstrlenW (lpString=".1cd") returned 4 [0085.221] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0085.221] lstrlenW (lpString=".jpg") returned 4 [0085.221] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.222] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.222] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.484] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=25106) returned 1 [0085.484] CloseHandle (hObject=0x1cc) returned 1 [0085.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0085.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.484] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.484] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.509] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.509] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.510] GetLastError () returned 0x0 [0085.510] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x6212, lpOverlapped=0x0) returned 1 [0085.513] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x6220, lpOverlapped=0x0) returned 1 [0085.514] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.514] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.515] SetEndOfFile (hFile=0x1b0) returned 1 [0085.515] CloseHandle (hObject=0x1b0) returned 1 [0085.515] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.515] SetEndOfFile (hFile=0x1cc) returned 1 [0085.516] CloseHandle (hObject=0x1cc) returned 1 [0085.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.517] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0085.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.517] lstrlenW (lpString=".doc") returned 4 [0085.517] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.517] lstrlenW (lpString=".docx") returned 5 [0085.517] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.517] lstrlenW (lpString=".pdf") returned 4 [0085.517] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.517] lstrlenW (lpString=".xls") returned 4 [0085.517] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.517] lstrlenW (lpString=".xlsx") returned 5 [0085.517] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.518] lstrlenW (lpString=".ppt") returned 4 [0085.518] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString=".zip") returned 4 [0085.518] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.518] lstrlenW (lpString=".rar") returned 4 [0085.518] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.518] lstrlenW (lpString=".bz2") returned 4 [0085.518] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.518] lstrlenW (lpString=".7z") returned 3 [0085.518] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString=".dbf") returned 4 [0085.518] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString=".1cd") returned 4 [0085.518] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString=".jpg") returned 4 [0085.518] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.518] lstrlenW (lpString=".doc") returned 4 [0085.518] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.518] lstrlenW (lpString=".docx") returned 5 [0085.519] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.519] lstrlenW (lpString=".pdf") returned 4 [0085.519] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.519] lstrlenW (lpString=".xls") returned 4 [0085.519] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.519] lstrlenW (lpString=".xlsx") returned 5 [0085.519] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.519] lstrlenW (lpString=".ppt") returned 4 [0085.519] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.519] lstrlenW (lpString=".zip") returned 4 [0085.519] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.519] lstrlenW (lpString=".rar") returned 4 [0085.519] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.519] lstrlenW (lpString=".bz2") returned 4 [0085.519] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.519] lstrlenW (lpString=".7z") returned 3 [0085.519] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.519] lstrlenW (lpString=".dbf") returned 4 [0085.519] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.519] lstrlenW (lpString=".1cd") returned 4 [0085.519] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0085.519] lstrlenW (lpString=".jpg") returned 4 [0085.519] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.520] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.520] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.520] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.520] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=5120) returned 1 [0085.520] CloseHandle (hObject=0x1cc) returned 1 [0085.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0085.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.521] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.521] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.523] GetLastError () returned 0x0 [0085.523] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x1400, lpOverlapped=0x0) returned 1 [0085.525] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x1410, lpOverlapped=0x0) returned 1 [0085.527] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.527] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.527] SetEndOfFile (hFile=0x1b0) returned 1 [0085.527] CloseHandle (hObject=0x1b0) returned 1 [0085.527] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.527] SetEndOfFile (hFile=0x1cc) returned 1 [0085.528] CloseHandle (hObject=0x1cc) returned 1 [0085.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.529] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0085.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.529] lstrlenW (lpString=".doc") returned 4 [0085.529] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.529] lstrlenW (lpString=".docx") returned 5 [0085.529] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.529] lstrlenW (lpString=".pdf") returned 4 [0085.529] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.529] lstrlenW (lpString=".xls") returned 4 [0085.530] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.530] lstrlenW (lpString=".xlsx") returned 5 [0085.530] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.530] lstrlenW (lpString=".ppt") returned 4 [0085.530] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.530] lstrlenW (lpString=".zip") returned 4 [0085.530] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.530] lstrlenW (lpString=".rar") returned 4 [0085.530] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.530] lstrlenW (lpString=".bz2") returned 4 [0085.530] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.530] lstrlenW (lpString=".7z") returned 3 [0085.530] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.530] lstrlenW (lpString=".dbf") returned 4 [0085.530] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.530] lstrlenW (lpString=".1cd") returned 4 [0085.530] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.530] lstrlenW (lpString=".jpg") returned 4 [0085.530] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.531] lstrlenW (lpString=".doc") returned 4 [0085.531] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.531] lstrlenW (lpString=".docx") returned 5 [0085.531] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.531] lstrlenW (lpString=".pdf") returned 4 [0085.531] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.531] lstrlenW (lpString=".xls") returned 4 [0085.531] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.531] lstrlenW (lpString=".xlsx") returned 5 [0085.531] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.531] lstrlenW (lpString=".ppt") returned 4 [0085.531] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.531] lstrlenW (lpString=".zip") returned 4 [0085.531] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.531] lstrlenW (lpString=".rar") returned 4 [0085.531] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.531] lstrlenW (lpString=".bz2") returned 4 [0085.531] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.531] lstrlenW (lpString=".7z") returned 3 [0085.531] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.531] lstrlenW (lpString=".dbf") returned 4 [0085.531] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.531] lstrlenW (lpString=".1cd") returned 4 [0085.531] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0085.532] lstrlenW (lpString=".jpg") returned 4 [0085.532] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.532] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.532] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.532] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.533] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=60724) returned 1 [0085.533] CloseHandle (hObject=0x1cc) returned 1 [0085.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0085.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.533] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.533] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.534] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.534] GetLastError () returned 0x0 [0085.534] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xed34, lpOverlapped=0x0) returned 1 [0085.539] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xed40, lpOverlapped=0x0) returned 1 [0085.541] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.541] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.541] SetEndOfFile (hFile=0x1b0) returned 1 [0085.541] CloseHandle (hObject=0x1b0) returned 1 [0085.542] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.542] SetEndOfFile (hFile=0x1cc) returned 1 [0085.543] CloseHandle (hObject=0x1cc) returned 1 [0085.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.544] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0085.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.544] lstrlenW (lpString=".doc") returned 4 [0085.544] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.544] lstrlenW (lpString=".docx") returned 5 [0085.544] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.544] lstrlenW (lpString=".pdf") returned 4 [0085.544] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.544] lstrlenW (lpString=".xls") returned 4 [0085.544] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.544] lstrlenW (lpString=".xlsx") returned 5 [0085.544] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.544] lstrlenW (lpString=".ppt") returned 4 [0085.545] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString=".zip") returned 4 [0085.545] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.545] lstrlenW (lpString=".rar") returned 4 [0085.545] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.545] lstrlenW (lpString=".bz2") returned 4 [0085.545] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.545] lstrlenW (lpString=".7z") returned 3 [0085.545] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString=".dbf") returned 4 [0085.545] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString=".1cd") returned 4 [0085.545] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString=".jpg") returned 4 [0085.545] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.545] lstrlenW (lpString=".doc") returned 4 [0085.545] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.545] lstrlenW (lpString=".docx") returned 5 [0085.545] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.545] lstrlenW (lpString=".pdf") returned 4 [0085.546] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.546] lstrlenW (lpString=".xls") returned 4 [0085.546] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.546] lstrlenW (lpString=".xlsx") returned 5 [0085.546] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.546] lstrlenW (lpString=".ppt") returned 4 [0085.546] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.546] lstrlenW (lpString=".zip") returned 4 [0085.546] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.546] lstrlenW (lpString=".rar") returned 4 [0085.546] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.546] lstrlenW (lpString=".bz2") returned 4 [0085.546] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.546] lstrlenW (lpString=".7z") returned 3 [0085.546] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.546] lstrlenW (lpString=".dbf") returned 4 [0085.546] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.546] lstrlenW (lpString=".1cd") returned 4 [0085.546] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0085.546] lstrlenW (lpString=".jpg") returned 4 [0085.546] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.547] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.547] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.547] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=2552) returned 1 [0085.547] CloseHandle (hObject=0x1cc) returned 1 [0085.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 0x20 [0085.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.548] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.548] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.828] GetLastError () returned 0x0 [0085.828] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x9f8, lpOverlapped=0x0) returned 1 [0085.830] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xa00, lpOverlapped=0x0) returned 1 [0085.832] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.832] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.832] SetEndOfFile (hFile=0x1e8) returned 1 [0085.832] CloseHandle (hObject=0x1e8) returned 1 [0085.832] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.832] SetEndOfFile (hFile=0x1cc) returned 1 [0085.833] CloseHandle (hObject=0x1cc) returned 1 [0085.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.834] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0085.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.834] lstrlenW (lpString=".doc") returned 4 [0085.834] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.834] lstrlenW (lpString=".docx") returned 5 [0085.835] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.835] lstrlenW (lpString=".pdf") returned 4 [0085.835] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.835] lstrlenW (lpString=".xls") returned 4 [0085.835] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.835] lstrlenW (lpString=".xlsx") returned 5 [0085.835] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.835] lstrlenW (lpString=".ppt") returned 4 [0085.835] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.835] lstrlenW (lpString=".zip") returned 4 [0085.835] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.835] lstrlenW (lpString=".rar") returned 4 [0085.835] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.835] lstrlenW (lpString=".bz2") returned 4 [0085.835] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.835] lstrlenW (lpString=".7z") returned 3 [0085.835] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.836] lstrlenW (lpString=".dbf") returned 4 [0085.836] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.836] lstrlenW (lpString=".1cd") returned 4 [0085.836] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.836] lstrlenW (lpString=".jpg") returned 4 [0085.836] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.836] lstrlenW (lpString=".doc") returned 4 [0085.836] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.836] lstrlenW (lpString=".docx") returned 5 [0085.836] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.836] lstrlenW (lpString=".pdf") returned 4 [0085.836] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.836] lstrlenW (lpString=".xls") returned 4 [0085.837] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.837] lstrlenW (lpString=".xlsx") returned 5 [0085.837] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.837] lstrlenW (lpString=".ppt") returned 4 [0085.837] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.837] lstrlenW (lpString=".zip") returned 4 [0085.837] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.837] lstrlenW (lpString=".rar") returned 4 [0085.837] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.837] lstrlenW (lpString=".bz2") returned 4 [0085.837] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.837] lstrlenW (lpString=".7z") returned 3 [0085.837] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.837] lstrlenW (lpString=".dbf") returned 4 [0085.837] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.837] lstrlenW (lpString=".1cd") returned 4 [0085.838] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0085.838] lstrlenW (lpString=".jpg") returned 4 [0085.838] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.838] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.838] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.839] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1659) returned 1 [0085.839] CloseHandle (hObject=0x1cc) returned 1 [0085.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0085.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.839] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.839] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.842] GetLastError () returned 0x0 [0085.842] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x67b, lpOverlapped=0x0) returned 1 [0085.844] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x680, lpOverlapped=0x0) returned 1 [0085.845] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.846] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.846] SetEndOfFile (hFile=0x1e8) returned 1 [0085.846] CloseHandle (hObject=0x1e8) returned 1 [0085.846] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.846] SetEndOfFile (hFile=0x1cc) returned 1 [0085.849] CloseHandle (hObject=0x1cc) returned 1 [0085.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.850] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0085.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.850] lstrlenW (lpString=".doc") returned 4 [0085.850] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.850] lstrlenW (lpString=".docx") returned 5 [0085.850] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.850] lstrlenW (lpString=".pdf") returned 4 [0085.850] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.850] lstrlenW (lpString=".xls") returned 4 [0085.850] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.850] lstrlenW (lpString=".xlsx") returned 5 [0085.850] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.850] lstrlenW (lpString=".ppt") returned 4 [0085.850] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.850] lstrlenW (lpString=".zip") returned 4 [0085.850] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.850] lstrlenW (lpString=".rar") returned 4 [0085.851] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString=".bz2") returned 4 [0085.851] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.851] lstrlenW (lpString=".7z") returned 3 [0085.851] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString=".dbf") returned 4 [0085.851] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString=".1cd") returned 4 [0085.851] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString=".jpg") returned 4 [0085.851] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString=".doc") returned 4 [0085.851] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.851] lstrlenW (lpString=".docx") returned 5 [0085.851] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.851] lstrlenW (lpString=".pdf") returned 4 [0085.851] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString=".xls") returned 4 [0085.851] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString=".xlsx") returned 5 [0085.851] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.851] lstrlenW (lpString=".ppt") returned 4 [0085.851] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.851] lstrlenW (lpString=".zip") returned 4 [0085.851] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.851] lstrlenW (lpString=".rar") returned 4 [0085.851] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.852] lstrlenW (lpString=".bz2") returned 4 [0085.852] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.852] lstrlenW (lpString=".7z") returned 3 [0085.852] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.852] lstrlenW (lpString=".dbf") returned 4 [0085.852] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.852] lstrlenW (lpString=".1cd") returned 4 [0085.852] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0085.852] lstrlenW (lpString=".jpg") returned 4 [0085.852] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.852] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.852] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.853] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=44850) returned 1 [0085.853] CloseHandle (hObject=0x1cc) returned 1 [0085.853] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0085.854] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.854] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.854] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.854] GetLastError () returned 0x0 [0085.854] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xaf32, lpOverlapped=0x0) returned 1 [0085.857] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0085.859] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0085.859] WriteFile (in: hFile=0x1e8, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.859] SetEndOfFile (hFile=0x1e8) returned 1 [0085.860] CloseHandle (hObject=0x1e8) returned 1 [0085.860] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.860] SetEndOfFile (hFile=0x1cc) returned 1 [0085.863] CloseHandle (hObject=0x1cc) returned 1 [0085.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.863] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString=".doc") returned 4 [0085.864] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString=".docx") returned 5 [0085.864] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.864] lstrlenW (lpString=".pdf") returned 4 [0085.864] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString=".xls") returned 4 [0085.864] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.864] lstrlenW (lpString=".xlsx") returned 5 [0085.864] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.864] lstrlenW (lpString=".ppt") returned 4 [0085.864] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString=".zip") returned 4 [0085.864] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.864] lstrlenW (lpString=".rar") returned 4 [0085.864] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.864] lstrlenW (lpString=".bz2") returned 4 [0085.864] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString=".7z") returned 3 [0085.864] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString=".dbf") returned 4 [0085.864] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString=".1cd") returned 4 [0085.864] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString=".jpg") returned 4 [0085.864] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.865] lstrlenW (lpString=".doc") returned 4 [0085.865] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.865] lstrlenW (lpString=".docx") returned 5 [0085.865] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.865] lstrlenW (lpString=".pdf") returned 4 [0085.865] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.865] lstrlenW (lpString=".xls") returned 4 [0085.865] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.865] lstrlenW (lpString=".xlsx") returned 5 [0085.865] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.865] lstrlenW (lpString=".ppt") returned 4 [0085.865] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.865] lstrlenW (lpString=".zip") returned 4 [0085.865] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.865] lstrlenW (lpString=".rar") returned 4 [0085.865] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.865] lstrlenW (lpString=".bz2") returned 4 [0085.865] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.865] lstrlenW (lpString=".7z") returned 3 [0085.865] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.865] lstrlenW (lpString=".dbf") returned 4 [0085.865] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.865] lstrlenW (lpString=".1cd") returned 4 [0085.865] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0085.865] lstrlenW (lpString=".jpg") returned 4 [0085.865] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.866] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.866] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.866] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1379) returned 1 [0085.866] CloseHandle (hObject=0x1cc) returned 1 [0085.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0085.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0085.866] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.866] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0085.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0086.208] GetLastError () returned 0x0 [0086.208] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x563, lpOverlapped=0x0) returned 1 [0086.211] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x570, lpOverlapped=0x0) returned 1 [0086.213] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.213] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.213] SetEndOfFile (hFile=0x1f4) returned 1 [0086.213] CloseHandle (hObject=0x1f4) returned 1 [0086.214] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.214] SetEndOfFile (hFile=0x1cc) returned 1 [0086.215] CloseHandle (hObject=0x1cc) returned 1 [0086.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0086.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.215] lstrlenW (lpString=".doc") returned 4 [0086.216] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.216] lstrlenW (lpString=".docx") returned 5 [0086.216] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.216] lstrlenW (lpString=".pdf") returned 4 [0086.216] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.216] lstrlenW (lpString=".xls") returned 4 [0086.216] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.216] lstrlenW (lpString=".xlsx") returned 5 [0086.216] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.216] lstrlenW (lpString=".ppt") returned 4 [0086.216] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.216] lstrlenW (lpString=".zip") returned 4 [0086.216] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.216] lstrlenW (lpString=".rar") returned 4 [0086.216] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.216] lstrlenW (lpString=".bz2") returned 4 [0086.216] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.216] lstrlenW (lpString=".7z") returned 3 [0086.216] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.216] lstrlenW (lpString=".dbf") returned 4 [0086.216] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.216] lstrlenW (lpString=".1cd") returned 4 [0086.216] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.217] lstrlenW (lpString=".jpg") returned 4 [0086.217] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.217] lstrlenW (lpString=".doc") returned 4 [0086.217] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.217] lstrlenW (lpString=".docx") returned 5 [0086.217] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.217] lstrlenW (lpString=".pdf") returned 4 [0086.217] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString=".xls") returned 4 [0086.217] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString=".xlsx") returned 5 [0086.217] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.217] lstrlenW (lpString=".ppt") returned 4 [0086.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.217] lstrlenW (lpString=".zip") returned 4 [0086.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString=".rar") returned 4 [0086.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.217] lstrlenW (lpString=".bz2") returned 4 [0086.217] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.217] lstrlenW (lpString=".7z") returned 3 [0086.217] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.217] lstrlenW (lpString=".dbf") returned 4 [0086.218] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.218] lstrlenW (lpString=".1cd") returned 4 [0086.218] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0086.218] lstrlenW (lpString=".jpg") returned 4 [0086.218] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.218] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.218] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.218] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1439) returned 1 [0086.219] CloseHandle (hObject=0x1cc) returned 1 [0086.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0086.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.219] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.219] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0086.222] GetLastError () returned 0x0 [0086.222] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x59f, lpOverlapped=0x0) returned 1 [0086.224] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0086.225] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.225] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.225] SetEndOfFile (hFile=0x1f4) returned 1 [0086.225] CloseHandle (hObject=0x1f4) returned 1 [0086.225] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.226] SetEndOfFile (hFile=0x1cc) returned 1 [0086.226] CloseHandle (hObject=0x1cc) returned 1 [0086.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.227] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0086.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.227] lstrlenW (lpString=".doc") returned 4 [0086.227] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.227] lstrlenW (lpString=".docx") returned 5 [0086.227] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.227] lstrlenW (lpString=".pdf") returned 4 [0086.227] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.227] lstrlenW (lpString=".xls") returned 4 [0086.227] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.227] lstrlenW (lpString=".xlsx") returned 5 [0086.227] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.228] lstrlenW (lpString=".ppt") returned 4 [0086.228] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.228] lstrlenW (lpString=".zip") returned 4 [0086.228] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.228] lstrlenW (lpString=".rar") returned 4 [0086.228] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.228] lstrlenW (lpString=".bz2") returned 4 [0086.228] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.228] lstrlenW (lpString=".7z") returned 3 [0086.228] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.228] lstrlenW (lpString=".dbf") returned 4 [0086.228] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.228] lstrlenW (lpString=".1cd") returned 4 [0086.228] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.228] lstrlenW (lpString=".jpg") returned 4 [0086.228] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.229] lstrlenW (lpString=".doc") returned 4 [0086.229] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.229] lstrlenW (lpString=".docx") returned 5 [0086.229] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.229] lstrlenW (lpString=".pdf") returned 4 [0086.229] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString=".xls") returned 4 [0086.229] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString=".xlsx") returned 5 [0086.229] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.229] lstrlenW (lpString=".ppt") returned 4 [0086.229] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.229] lstrlenW (lpString=".zip") returned 4 [0086.229] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString=".rar") returned 4 [0086.229] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.229] lstrlenW (lpString=".bz2") returned 4 [0086.229] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.229] lstrlenW (lpString=".7z") returned 3 [0086.229] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.229] lstrlenW (lpString=".dbf") returned 4 [0086.229] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.229] lstrlenW (lpString=".1cd") returned 4 [0086.230] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0086.230] lstrlenW (lpString=".jpg") returned 4 [0086.230] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.230] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.230] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.230] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=37112) returned 1 [0086.230] CloseHandle (hObject=0x1cc) returned 1 [0086.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0086.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.231] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.231] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0086.231] GetLastError () returned 0x0 [0086.231] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x90f8, lpOverlapped=0x0) returned 1 [0086.234] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x9100, lpOverlapped=0x0) returned 1 [0086.236] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.236] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.236] SetEndOfFile (hFile=0x1f4) returned 1 [0086.236] CloseHandle (hObject=0x1f4) returned 1 [0086.237] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.237] SetEndOfFile (hFile=0x1cc) returned 1 [0086.238] CloseHandle (hObject=0x1cc) returned 1 [0086.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.238] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0086.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.239] lstrlenW (lpString=".doc") returned 4 [0086.239] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.239] lstrlenW (lpString=".docx") returned 5 [0086.239] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.239] lstrlenW (lpString=".pdf") returned 4 [0086.239] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.239] lstrlenW (lpString=".xls") returned 4 [0086.239] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.239] lstrlenW (lpString=".xlsx") returned 5 [0086.239] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.239] lstrlenW (lpString=".ppt") returned 4 [0086.239] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.239] lstrlenW (lpString=".zip") returned 4 [0086.239] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.239] lstrlenW (lpString=".rar") returned 4 [0086.239] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.239] lstrlenW (lpString=".bz2") returned 4 [0086.239] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.239] lstrlenW (lpString=".7z") returned 3 [0086.239] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString=".dbf") returned 4 [0086.240] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString=".1cd") returned 4 [0086.240] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString=".jpg") returned 4 [0086.240] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString=".doc") returned 4 [0086.240] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.240] lstrlenW (lpString=".docx") returned 5 [0086.240] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.240] lstrlenW (lpString=".pdf") returned 4 [0086.240] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.240] lstrlenW (lpString=".xls") returned 4 [0086.240] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.240] lstrlenW (lpString=".xlsx") returned 5 [0086.240] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.240] lstrlenW (lpString=".ppt") returned 4 [0086.240] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.240] lstrlenW (lpString=".zip") returned 4 [0086.240] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.240] lstrlenW (lpString=".rar") returned 4 [0086.241] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.241] lstrlenW (lpString=".bz2") returned 4 [0086.241] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.241] lstrlenW (lpString=".7z") returned 3 [0086.241] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.241] lstrlenW (lpString=".dbf") returned 4 [0086.241] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.241] lstrlenW (lpString=".1cd") returned 4 [0086.241] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0086.241] lstrlenW (lpString=".jpg") returned 4 [0086.241] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.241] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.241] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.242] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=1666) returned 1 [0086.242] CloseHandle (hObject=0x1cc) returned 1 [0086.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 0x20 [0086.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.243] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.243] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0086.245] GetLastError () returned 0x0 [0086.245] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x682, lpOverlapped=0x0) returned 1 [0086.526] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x690, lpOverlapped=0x0) returned 1 [0086.527] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.528] WriteFile (in: hFile=0x1f4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.528] SetEndOfFile (hFile=0x1f4) returned 1 [0086.528] CloseHandle (hObject=0x1f4) returned 1 [0086.528] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.528] SetEndOfFile (hFile=0x1cc) returned 1 [0086.529] CloseHandle (hObject=0x1cc) returned 1 [0086.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.530] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0086.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.530] lstrlenW (lpString=".doc") returned 4 [0086.530] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.530] lstrlenW (lpString=".docx") returned 5 [0086.530] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.530] lstrlenW (lpString=".pdf") returned 4 [0086.530] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.530] lstrlenW (lpString=".xls") returned 4 [0086.530] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.530] lstrlenW (lpString=".xlsx") returned 5 [0086.530] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.530] lstrlenW (lpString=".ppt") returned 4 [0086.530] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString=".zip") returned 4 [0086.531] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.531] lstrlenW (lpString=".rar") returned 4 [0086.531] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.531] lstrlenW (lpString=".bz2") returned 4 [0086.531] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.531] lstrlenW (lpString=".7z") returned 3 [0086.531] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString=".dbf") returned 4 [0086.531] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString=".1cd") returned 4 [0086.531] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString=".jpg") returned 4 [0086.531] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.531] lstrlenW (lpString=".doc") returned 4 [0086.531] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.531] lstrlenW (lpString=".docx") returned 5 [0086.531] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.531] lstrlenW (lpString=".pdf") returned 4 [0086.532] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.532] lstrlenW (lpString=".xls") returned 4 [0086.532] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.532] lstrlenW (lpString=".xlsx") returned 5 [0086.532] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.532] lstrlenW (lpString=".ppt") returned 4 [0086.532] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.532] lstrlenW (lpString=".zip") returned 4 [0086.532] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.532] lstrlenW (lpString=".rar") returned 4 [0086.532] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.532] lstrlenW (lpString=".bz2") returned 4 [0086.532] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.532] lstrlenW (lpString=".7z") returned 3 [0086.532] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.532] lstrlenW (lpString=".dbf") returned 4 [0086.532] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.532] lstrlenW (lpString=".1cd") returned 4 [0086.532] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0086.532] lstrlenW (lpString=".jpg") returned 4 [0086.532] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.533] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.533] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.533] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.534] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=3970) returned 1 [0086.534] CloseHandle (hObject=0x1cc) returned 1 [0086.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0086.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0086.534] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.534] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0086.962] GetLastError () returned 0x0 [0086.962] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0xf82, lpOverlapped=0x0) returned 1 [0086.965] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xf90, lpOverlapped=0x0) returned 1 [0086.966] ReadFile (in: hFile=0x1cc, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.966] WriteFile (in: hFile=0x1b0, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.967] SetEndOfFile (hFile=0x1b0) returned 1 [0086.967] CloseHandle (hObject=0x1b0) returned 1 [0086.967] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.967] SetEndOfFile (hFile=0x1cc) returned 1 [0086.968] CloseHandle (hObject=0x1cc) returned 1 [0086.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0087.215] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0087.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.567] lstrlenW (lpString=".doc") returned 4 [0087.567] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0087.567] lstrlenW (lpString=".docx") returned 5 [0087.567] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0087.567] lstrlenW (lpString=".pdf") returned 4 [0087.567] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0087.567] lstrlenW (lpString=".xls") returned 4 [0087.567] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0087.567] lstrlenW (lpString=".xlsx") returned 5 [0087.567] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0087.567] lstrlenW (lpString=".ppt") returned 4 [0087.567] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString=".zip") returned 4 [0087.568] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0087.568] lstrlenW (lpString=".rar") returned 4 [0087.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0087.568] lstrlenW (lpString=".bz2") returned 4 [0087.568] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0087.568] lstrlenW (lpString=".7z") returned 3 [0087.568] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString=".dbf") returned 4 [0087.568] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString=".1cd") returned 4 [0087.568] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString=".jpg") returned 4 [0087.568] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.568] lstrlenW (lpString=".doc") returned 4 [0087.568] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0087.568] lstrlenW (lpString=".docx") returned 5 [0087.568] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0087.568] lstrlenW (lpString=".pdf") returned 4 [0087.568] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0087.568] lstrlenW (lpString=".xls") returned 4 [0087.569] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0087.569] lstrlenW (lpString=".xlsx") returned 5 [0087.569] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0087.569] lstrlenW (lpString=".ppt") returned 4 [0087.569] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0087.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.569] lstrlenW (lpString=".zip") returned 4 [0087.569] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0087.569] lstrlenW (lpString=".rar") returned 4 [0087.569] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0087.569] lstrlenW (lpString=".bz2") returned 4 [0087.569] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0087.569] lstrlenW (lpString=".7z") returned 3 [0087.569] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0087.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.569] lstrlenW (lpString=".dbf") returned 4 [0087.569] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0087.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.569] lstrlenW (lpString=".1cd") returned 4 [0087.569] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0087.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0087.569] lstrlenW (lpString=".jpg") returned 4 [0087.569] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0087.569] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0087.570] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0087.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0087.668] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=34163) returned 1 [0087.668] CloseHandle (hObject=0x1d0) returned 1 [0087.668] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0087.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.063] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0088.211] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0088.211] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0088.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0088.238] GetLastError () returned 0x0 [0088.238] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x8573, lpOverlapped=0x0) returned 1 [0089.020] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x8580, lpOverlapped=0x0) returned 1 [0089.022] ReadFile (in: hFile=0x204, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0089.022] WriteFile (in: hFile=0x20c, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0089.022] SetEndOfFile (hFile=0x20c) returned 1 [0089.022] CloseHandle (hObject=0x20c) returned 1 [0089.022] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0089.022] SetEndOfFile (hFile=0x204) returned 1 [0089.024] CloseHandle (hObject=0x204) returned 1 [0089.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.024] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0089.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.027] lstrlenW (lpString=".doc") returned 4 [0089.027] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.027] lstrlenW (lpString=".docx") returned 5 [0089.027] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.027] lstrlenW (lpString=".pdf") returned 4 [0089.027] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.027] lstrlenW (lpString=".xls") returned 4 [0089.027] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.028] lstrlenW (lpString=".xlsx") returned 5 [0089.028] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.028] lstrlenW (lpString=".ppt") returned 4 [0089.028] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString=".zip") returned 4 [0089.028] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.028] lstrlenW (lpString=".rar") returned 4 [0089.028] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.028] lstrlenW (lpString=".bz2") returned 4 [0089.028] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString=".7z") returned 3 [0089.028] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString=".dbf") returned 4 [0089.028] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString=".1cd") returned 4 [0089.028] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString=".jpg") returned 4 [0089.028] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.028] lstrlenW (lpString=".doc") returned 4 [0089.028] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString=".docx") returned 5 [0089.028] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.028] lstrlenW (lpString=".pdf") returned 4 [0089.028] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.028] lstrlenW (lpString=".xls") returned 4 [0089.029] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.029] lstrlenW (lpString=".xlsx") returned 5 [0089.029] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.029] lstrlenW (lpString=".ppt") returned 4 [0089.029] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.029] lstrlenW (lpString=".zip") returned 4 [0089.029] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.029] lstrlenW (lpString=".rar") returned 4 [0089.029] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.029] lstrlenW (lpString=".bz2") returned 4 [0089.029] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.029] lstrlenW (lpString=".7z") returned 3 [0089.029] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.029] lstrlenW (lpString=".dbf") returned 4 [0089.029] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.029] lstrlenW (lpString=".1cd") returned 4 [0089.029] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0089.029] lstrlenW (lpString=".jpg") returned 4 [0089.029] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.029] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0089.029] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0089.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0090.176] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=21812) returned 1 [0090.176] CloseHandle (hObject=0x1d0) returned 1 [0090.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 0x20 [0090.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0090.176] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0090.176] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0090.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0090.177] GetLastError () returned 0x0 [0090.177] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x5534, lpOverlapped=0x0) returned 1 [0090.300] WriteFile (in: hFile=0x1b4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x5540, lpOverlapped=0x0) returned 1 [0090.302] ReadFile (in: hFile=0x1d0, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0090.302] WriteFile (in: hFile=0x1b4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0090.302] SetEndOfFile (hFile=0x1b4) returned 1 [0090.302] CloseHandle (hObject=0x1b4) returned 1 [0090.302] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0090.302] SetEndOfFile (hFile=0x1d0) returned 1 [0090.303] CloseHandle (hObject=0x1d0) returned 1 [0090.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.304] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0090.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.304] lstrlenW (lpString=".doc") returned 4 [0090.304] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.304] lstrlenW (lpString=".docx") returned 5 [0090.304] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.304] lstrlenW (lpString=".pdf") returned 4 [0090.304] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.304] lstrlenW (lpString=".xls") returned 4 [0090.304] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.304] lstrlenW (lpString=".xlsx") returned 5 [0090.304] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.304] lstrlenW (lpString=".ppt") returned 4 [0090.304] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.304] lstrlenW (lpString=".zip") returned 4 [0090.304] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.304] lstrlenW (lpString=".rar") returned 4 [0090.304] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.304] lstrlenW (lpString=".bz2") returned 4 [0090.304] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.304] lstrlenW (lpString=".7z") returned 3 [0090.304] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.304] lstrlenW (lpString=".dbf") returned 4 [0090.304] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".1cd") returned 4 [0090.305] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".jpg") returned 4 [0090.305] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".doc") returned 4 [0090.305] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString=".docx") returned 5 [0090.305] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.305] lstrlenW (lpString=".pdf") returned 4 [0090.305] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString=".xls") returned 4 [0090.305] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.305] lstrlenW (lpString=".xlsx") returned 5 [0090.305] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.305] lstrlenW (lpString=".ppt") returned 4 [0090.305] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".zip") returned 4 [0090.305] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.305] lstrlenW (lpString=".rar") returned 4 [0090.305] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.305] lstrlenW (lpString=".bz2") returned 4 [0090.305] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString=".7z") returned 3 [0090.305] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".dbf") returned 4 [0090.305] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.305] lstrlenW (lpString=".1cd") returned 4 [0090.305] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0090.306] lstrlenW (lpString=".jpg") returned 4 [0090.306] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.306] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0090.306] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0090.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0092.679] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=30170) returned 1 [0092.679] CloseHandle (hObject=0x214) returned 1 [0092.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0092.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0092.680] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.680] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.680] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0092.680] GetLastError () returned 0x0 [0092.680] ReadFile (in: hFile=0x214, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x75da, lpOverlapped=0x0) returned 1 [0092.683] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0092.685] ReadFile (in: hFile=0x214, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0092.685] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xec, lpOverlapped=0x0) returned 1 [0092.685] SetEndOfFile (hFile=0x1d4) returned 1 [0092.685] CloseHandle (hObject=0x1d4) returned 1 [0092.685] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.685] SetEndOfFile (hFile=0x214) returned 1 [0092.687] CloseHandle (hObject=0x214) returned 1 [0092.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.687] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0092.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.688] lstrlenW (lpString=".doc") returned 4 [0092.688] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0092.688] lstrlenW (lpString=".docx") returned 5 [0092.688] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0092.688] lstrlenW (lpString=".pdf") returned 4 [0092.688] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0092.688] lstrlenW (lpString=".xls") returned 4 [0092.688] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0092.688] lstrlenW (lpString=".xlsx") returned 5 [0092.688] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0092.688] lstrlenW (lpString=".ppt") returned 4 [0092.688] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0092.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.688] lstrlenW (lpString=".zip") returned 4 [0092.688] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0092.688] lstrlenW (lpString=".rar") returned 4 [0092.688] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0092.688] lstrlenW (lpString=".bz2") returned 4 [0092.688] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0092.688] lstrlenW (lpString=".7z") returned 3 [0092.689] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString=".dbf") returned 4 [0092.689] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString=".1cd") returned 4 [0092.689] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString=".jpg") returned 4 [0092.689] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString=".doc") returned 4 [0092.689] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0092.689] lstrlenW (lpString=".docx") returned 5 [0092.689] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0092.689] lstrlenW (lpString=".pdf") returned 4 [0092.689] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0092.689] lstrlenW (lpString=".xls") returned 4 [0092.689] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0092.689] lstrlenW (lpString=".xlsx") returned 5 [0092.689] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0092.689] lstrlenW (lpString=".ppt") returned 4 [0092.689] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0092.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.689] lstrlenW (lpString=".zip") returned 4 [0092.690] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0092.690] lstrlenW (lpString=".rar") returned 4 [0092.690] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0092.690] lstrlenW (lpString=".bz2") returned 4 [0092.690] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0092.690] lstrlenW (lpString=".7z") returned 3 [0092.690] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0092.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.690] lstrlenW (lpString=".dbf") returned 4 [0092.690] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0092.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.690] lstrlenW (lpString=".1cd") returned 4 [0092.690] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0092.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0092.690] lstrlenW (lpString=".jpg") returned 4 [0092.690] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0092.690] lstrcmpiW (lpString1=".MSG", lpString2=".mnbzr") returned 1 [0092.690] lstrlenW (lpString="FPEXT.MSG") returned 9 [0092.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0092.692] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=169637) returned 1 [0092.692] CloseHandle (hObject=0x214) returned 1 [0092.693] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 0x20 [0092.693] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0092.693] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.693] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.693] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0092.694] GetLastError () returned 0x0 [0092.694] ReadFile (in: hFile=0x214, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x296a5, lpOverlapped=0x0) returned 1 [0092.701] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0092.707] ReadFile (in: hFile=0x214, lpBuffer=0x2fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2adfed4, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesRead=0x2adfed4*=0x0, lpOverlapped=0x0) returned 1 [0092.707] WriteFile (in: hFile=0x1d4, lpBuffer=0x2fb0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2adfc9c, lpOverlapped=0x0 | out: lpBuffer=0x2fb0020*, lpNumberOfBytesWritten=0x2adfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0092.707] SetEndOfFile (hFile=0x1d4) returned 1 [0092.707] CloseHandle (hObject=0x1d4) returned 1 [0092.708] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2adfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.708] SetEndOfFile (hFile=0x214) returned 1 [0092.710] CloseHandle (hObject=0x214) returned 1 [0092.710] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.711] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0092.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.711] lstrlenW (lpString=".doc") returned 4 [0092.711] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0092.711] lstrlenW (lpString=".docx") returned 5 [0092.711] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0092.711] lstrlenW (lpString=".pdf") returned 4 [0092.711] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0092.711] lstrlenW (lpString=".xls") returned 4 [0092.711] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0092.711] lstrlenW (lpString=".xlsx") returned 5 [0092.711] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0092.711] lstrlenW (lpString=".ppt") returned 4 [0092.711] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0092.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.711] lstrlenW (lpString=".zip") returned 4 [0092.711] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0092.712] lstrlenW (lpString=".rar") returned 4 [0092.712] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0092.712] lstrlenW (lpString=".bz2") returned 4 [0092.712] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0092.712] lstrlenW (lpString=".7z") returned 3 [0092.712] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0092.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.712] lstrlenW (lpString=".dbf") returned 4 [0092.712] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0092.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.712] lstrlenW (lpString=".1cd") returned 4 [0092.712] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0092.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.712] lstrlenW (lpString=".jpg") returned 4 [0092.712] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0092.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.712] lstrlenW (lpString=".doc") returned 4 [0092.712] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0092.712] lstrlenW (lpString=".docx") returned 5 [0092.712] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0092.712] lstrlenW (lpString=".pdf") returned 4 [0092.712] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0092.712] lstrlenW (lpString=".xls") returned 4 [0092.712] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0092.712] lstrlenW (lpString=".xlsx") returned 5 [0092.712] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0092.713] lstrlenW (lpString=".ppt") returned 4 [0092.713] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0092.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.713] lstrlenW (lpString=".zip") returned 4 [0092.713] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0092.713] lstrlenW (lpString=".rar") returned 4 [0092.713] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0092.713] lstrlenW (lpString=".bz2") returned 4 [0092.713] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0092.713] lstrlenW (lpString=".7z") returned 3 [0092.713] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0092.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.713] lstrlenW (lpString=".dbf") returned 4 [0092.713] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0092.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.713] lstrlenW (lpString=".1cd") returned 4 [0092.713] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0092.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0092.713] lstrlenW (lpString=".jpg") returned 4 [0092.713] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0092.713] lstrcmpiW (lpString1=".bmp", lpString2=".mnbzr") returned -1 [0092.713] lstrlenW (lpString="verisign.bmp") returned 12 [0092.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.007] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=2702) returned 1 [0093.007] CloseHandle (hObject=0x1f4) returned 1 [0093.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0093.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.029] lstrlenW (lpString=".doc") returned 4 [0093.029] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".docx") returned 5 [0093.029] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0093.029] lstrlenW (lpString=".pdf") returned 4 [0093.029] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".xls") returned 4 [0093.029] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".xlsx") returned 5 [0093.029] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0093.029] lstrlenW (lpString=".ppt") returned 4 [0093.029] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.029] lstrlenW (lpString=".zip") returned 4 [0093.029] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".rar") returned 4 [0093.029] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".bz2") returned 4 [0093.029] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0093.029] lstrlenW (lpString=".7z") returned 3 [0093.030] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0093.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.030] lstrlenW (lpString=".dbf") returned 4 [0093.030] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0093.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.030] lstrlenW (lpString=".1cd") returned 4 [0093.030] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0093.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.030] lstrlenW (lpString=".jpg") returned 4 [0093.030] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0093.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.030] lstrlenW (lpString=".doc") returned 4 [0093.030] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0093.030] lstrlenW (lpString=".docx") returned 5 [0093.030] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0093.030] lstrlenW (lpString=".pdf") returned 4 [0093.030] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0093.030] lstrlenW (lpString=".xls") returned 4 [0093.030] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0093.030] lstrlenW (lpString=".xlsx") returned 5 [0093.031] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0093.031] lstrlenW (lpString=".ppt") returned 4 [0093.031] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0093.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.031] lstrlenW (lpString=".zip") returned 4 [0093.031] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0093.031] lstrlenW (lpString=".rar") returned 4 [0093.031] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0093.031] lstrlenW (lpString=".bz2") returned 4 [0093.031] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0093.031] lstrlenW (lpString=".7z") returned 3 [0093.031] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0093.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.031] lstrlenW (lpString=".dbf") returned 4 [0093.031] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0093.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.031] lstrlenW (lpString=".1cd") returned 4 [0093.031] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0093.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0093.031] lstrlenW (lpString=".jpg") returned 4 [0093.031] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0093.031] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.031] lstrlenW (lpString="DissolveNoise.png") returned 17 [0093.032] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0093.284] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2adff1c | out: lpFileSize=0x2adff1c*=751669) returned 1 [0093.284] CloseHandle (hObject=0x1d8) returned 1 [0093.284] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png")) returned 0x20 [0093.284] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.284] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.284] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.284] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.284] lstrlenW (lpString=".doc") returned 4 [0093.284] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.284] lstrlenW (lpString=".docx") returned 5 [0093.284] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0093.284] lstrlenW (lpString=".pdf") returned 4 [0093.284] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.284] lstrlenW (lpString=".xls") returned 4 [0093.284] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.284] lstrlenW (lpString=".xlsx") returned 5 [0093.285] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0093.285] lstrlenW (lpString=".ppt") returned 4 [0093.285] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString=".zip") returned 4 [0093.285] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.285] lstrlenW (lpString=".rar") returned 4 [0093.285] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.285] lstrlenW (lpString=".bz2") returned 4 [0093.285] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.285] lstrlenW (lpString=".7z") returned 3 [0093.285] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString=".dbf") returned 4 [0093.285] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString=".1cd") returned 4 [0093.285] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString=".jpg") returned 4 [0093.285] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.285] lstrlenW (lpString=".doc") returned 4 [0093.285] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.285] lstrlenW (lpString=".docx") returned 5 [0093.285] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0093.286] lstrlenW (lpString=".pdf") returned 4 [0093.286] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.286] lstrlenW (lpString=".xls") returned 4 [0093.286] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.286] lstrlenW (lpString=".xlsx") returned 5 [0093.286] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0093.286] lstrlenW (lpString=".ppt") returned 4 [0093.286] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.286] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.286] lstrlenW (lpString=".zip") returned 4 [0093.286] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.286] lstrlenW (lpString=".rar") returned 4 [0093.286] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.286] lstrlenW (lpString=".bz2") returned 4 [0093.286] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.286] lstrlenW (lpString=".7z") returned 3 [0093.286] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.286] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.286] lstrlenW (lpString=".dbf") returned 4 [0093.286] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.286] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.286] lstrlenW (lpString=".1cd") returned 4 [0093.286] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.286] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0093.286] lstrlenW (lpString=".jpg") returned 4 [0093.286] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.287] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.287] lstrlenW (lpString="mainimage-mask.png") returned 18 [0093.287] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 11 os_tid = 0x60c [0066.901] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x307c48 [0066.902] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x317c50 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c40 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1010 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c58 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x30c0020 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c70 [0066.903] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c70, Size=0x20) returned 0x2df3a8 [0066.903] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c70 [0066.903] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298c70, Size=0x20) returned 0x2df448 [0066.904] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.904] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.904] Wow64DisableWow64FsRedirection (in: OldValue=0x2c1ff58 | out: OldValue=0x2c1ff58*=0x0) returned 1 [0066.904] lstrlenW (lpString="kernel32.dll") returned 12 [0066.904] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df3a8 | out: hHeap=0x240000) returned 1 [0066.904] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.904] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df448 | out: hHeap=0x240000) returned 1 [0066.904] Sleep (dwMilliseconds=0x64) [0067.052] Sleep (dwMilliseconds=0x64) [0067.508] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.508] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0067.508] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.617] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1565) returned 1 [0067.627] CloseHandle (hObject=0x1b8) returned 1 [0067.627] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0067.627] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.627] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.627] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.628] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.628] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.628] GetLastError () returned 0x0 [0067.628] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x61d, lpOverlapped=0x0) returned 1 [0067.642] WriteFile (in: hFile=0x1ac, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x620, lpOverlapped=0x0) returned 1 [0067.643] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.643] WriteFile (in: hFile=0x1ac, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.644] SetEndOfFile (hFile=0x1ac) returned 1 [0067.644] CloseHandle (hObject=0x1ac) returned 1 [0067.645] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.645] SetEndOfFile (hFile=0x1b8) returned 1 [0067.646] CloseHandle (hObject=0x1b8) returned 1 [0067.646] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.646] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString=".doc") returned 4 [0067.647] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString=".docx") returned 5 [0067.647] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.647] lstrlenW (lpString=".pdf") returned 4 [0067.647] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString=".xls") returned 4 [0067.647] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString=".xlsx") returned 5 [0067.647] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.647] lstrlenW (lpString=".ppt") returned 4 [0067.647] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString=".zip") returned 4 [0067.647] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.647] lstrlenW (lpString=".rar") returned 4 [0067.647] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString=".bz2") returned 4 [0067.647] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString=".7z") returned 3 [0067.647] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString=".dbf") returned 4 [0067.647] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString=".1cd") returned 4 [0067.647] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.647] lstrlenW (lpString=".jpg") returned 4 [0067.647] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.648] lstrlenW (lpString=".doc") returned 4 [0067.648] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString=".docx") returned 5 [0067.648] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.648] lstrlenW (lpString=".pdf") returned 4 [0067.648] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString=".xls") returned 4 [0067.648] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString=".xlsx") returned 5 [0067.648] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.648] lstrlenW (lpString=".ppt") returned 4 [0067.648] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.648] lstrlenW (lpString=".zip") returned 4 [0067.648] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.648] lstrlenW (lpString=".rar") returned 4 [0067.648] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.648] lstrlenW (lpString=".bz2") returned 4 [0067.649] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.649] lstrlenW (lpString=".7z") returned 3 [0067.649] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.649] lstrlenW (lpString=".dbf") returned 4 [0067.649] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.649] lstrlenW (lpString=".1cd") returned 4 [0067.649] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.649] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0067.649] lstrlenW (lpString=".jpg") returned 4 [0067.649] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.649] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.649] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0067.649] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.651] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3186) returned 1 [0067.651] CloseHandle (hObject=0x1b8) returned 1 [0067.652] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0067.653] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.653] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.653] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.653] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.653] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.653] GetLastError () returned 0x0 [0067.653] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xc72, lpOverlapped=0x0) returned 1 [0067.656] WriteFile (in: hFile=0x1ac, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0067.657] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.657] WriteFile (in: hFile=0x1ac, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0067.657] SetEndOfFile (hFile=0x1ac) returned 1 [0067.657] CloseHandle (hObject=0x1ac) returned 1 [0067.658] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.658] SetEndOfFile (hFile=0x1b8) returned 1 [0067.659] CloseHandle (hObject=0x1b8) returned 1 [0067.660] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.660] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0067.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.660] lstrlenW (lpString=".doc") returned 4 [0067.660] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.660] lstrlenW (lpString=".docx") returned 5 [0067.660] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.660] lstrlenW (lpString=".pdf") returned 4 [0067.660] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.660] lstrlenW (lpString=".xls") returned 4 [0067.660] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.660] lstrlenW (lpString=".xlsx") returned 5 [0067.661] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.661] lstrlenW (lpString=".ppt") returned 4 [0067.661] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString=".zip") returned 4 [0067.661] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.661] lstrlenW (lpString=".rar") returned 4 [0067.661] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString=".bz2") returned 4 [0067.661] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString=".7z") returned 3 [0067.661] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString=".dbf") returned 4 [0067.661] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString=".1cd") returned 4 [0067.661] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString=".jpg") returned 4 [0067.661] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.661] lstrlenW (lpString=".doc") returned 4 [0067.661] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.661] lstrlenW (lpString=".docx") returned 5 [0067.661] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.662] lstrlenW (lpString=".pdf") returned 4 [0067.662] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString=".xls") returned 4 [0067.662] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString=".xlsx") returned 5 [0067.662] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.662] lstrlenW (lpString=".ppt") returned 4 [0067.662] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.662] lstrlenW (lpString=".zip") returned 4 [0067.662] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.662] lstrlenW (lpString=".rar") returned 4 [0067.662] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString=".bz2") returned 4 [0067.662] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString=".7z") returned 3 [0067.662] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.662] lstrlenW (lpString=".dbf") returned 4 [0067.662] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.662] lstrlenW (lpString=".1cd") returned 4 [0067.662] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0067.662] lstrlenW (lpString=".jpg") returned 4 [0067.662] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.663] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.663] lstrlenW (lpString="Setup.xml") returned 9 [0067.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.663] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=4207) returned 1 [0067.663] CloseHandle (hObject=0x1b8) returned 1 [0067.663] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.663] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.664] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.664] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.664] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.664] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.880] GetLastError () returned 0x0 [0067.880] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x106f, lpOverlapped=0x0) returned 1 [0067.883] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0067.884] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.884] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.884] SetEndOfFile (hFile=0x1d4) returned 1 [0067.884] CloseHandle (hObject=0x1d4) returned 1 [0067.891] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.891] SetEndOfFile (hFile=0x1b8) returned 1 [0067.892] CloseHandle (hObject=0x1b8) returned 1 [0067.892] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.892] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0067.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.893] lstrlenW (lpString=".doc") returned 4 [0067.893] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString=".docx") returned 5 [0067.893] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.893] lstrlenW (lpString=".pdf") returned 4 [0067.893] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString=".xls") returned 4 [0067.893] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString=".xlsx") returned 5 [0067.893] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.893] lstrlenW (lpString=".ppt") returned 4 [0067.893] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.893] lstrlenW (lpString=".zip") returned 4 [0067.893] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.893] lstrlenW (lpString=".rar") returned 4 [0067.893] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString=".bz2") returned 4 [0067.893] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.893] lstrlenW (lpString=".7z") returned 3 [0067.893] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString=".dbf") returned 4 [0067.894] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString=".1cd") returned 4 [0067.894] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString=".jpg") returned 4 [0067.894] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString=".doc") returned 4 [0067.894] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString=".docx") returned 5 [0067.894] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.894] lstrlenW (lpString=".pdf") returned 4 [0067.894] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString=".xls") returned 4 [0067.894] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString=".xlsx") returned 5 [0067.894] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.894] lstrlenW (lpString=".ppt") returned 4 [0067.894] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.894] lstrlenW (lpString=".zip") returned 4 [0067.894] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.894] lstrlenW (lpString=".rar") returned 4 [0067.894] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.895] lstrlenW (lpString=".bz2") returned 4 [0067.895] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.895] lstrlenW (lpString=".7z") returned 3 [0067.895] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.895] lstrlenW (lpString=".dbf") returned 4 [0067.895] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.895] lstrlenW (lpString=".1cd") returned 4 [0067.895] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.895] lstrlenW (lpString=".jpg") returned 4 [0067.895] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.895] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.895] lstrlenW (lpString="Proofing.xml") returned 12 [0067.895] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.896] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=811) returned 1 [0067.896] CloseHandle (hObject=0x1b8) returned 1 [0067.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0067.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.896] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.896] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.897] GetLastError () returned 0x0 [0067.897] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x32b, lpOverlapped=0x0) returned 1 [0067.900] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x330, lpOverlapped=0x0) returned 1 [0067.901] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.902] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0067.902] SetEndOfFile (hFile=0x1d4) returned 1 [0067.902] CloseHandle (hObject=0x1d4) returned 1 [0067.903] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.903] SetEndOfFile (hFile=0x1b8) returned 1 [0067.904] CloseHandle (hObject=0x1b8) returned 1 [0067.905] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.905] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0067.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.905] lstrlenW (lpString=".doc") returned 4 [0067.905] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.905] lstrlenW (lpString=".docx") returned 5 [0067.905] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0067.905] lstrlenW (lpString=".pdf") returned 4 [0067.905] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.905] lstrlenW (lpString=".xls") returned 4 [0067.906] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString=".xlsx") returned 5 [0067.906] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0067.906] lstrlenW (lpString=".ppt") returned 4 [0067.906] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString=".zip") returned 4 [0067.906] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.906] lstrlenW (lpString=".rar") returned 4 [0067.906] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString=".bz2") returned 4 [0067.906] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString=".7z") returned 3 [0067.906] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString=".dbf") returned 4 [0067.906] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString=".1cd") returned 4 [0067.906] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString=".jpg") returned 4 [0067.906] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.906] lstrlenW (lpString=".doc") returned 4 [0067.906] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString=".docx") returned 5 [0067.907] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0067.907] lstrlenW (lpString=".pdf") returned 4 [0067.907] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString=".xls") returned 4 [0067.907] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString=".xlsx") returned 5 [0067.907] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0067.907] lstrlenW (lpString=".ppt") returned 4 [0067.907] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.907] lstrlenW (lpString=".zip") returned 4 [0067.907] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.907] lstrlenW (lpString=".rar") returned 4 [0067.907] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString=".bz2") returned 4 [0067.907] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString=".7z") returned 3 [0067.907] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.907] lstrlenW (lpString=".dbf") returned 4 [0067.907] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.907] lstrlenW (lpString=".1cd") returned 4 [0067.907] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0067.907] lstrlenW (lpString=".jpg") returned 4 [0067.907] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.908] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.908] lstrlenW (lpString="Setup.xml") returned 9 [0067.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.908] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=5884) returned 1 [0067.908] CloseHandle (hObject=0x1b8) returned 1 [0067.908] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.908] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.909] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.909] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.909] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0067.909] GetLastError () returned 0x0 [0067.909] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0067.912] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0067.913] ReadFile (in: hFile=0x1b8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.913] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.913] SetEndOfFile (hFile=0x1d4) returned 1 [0067.913] CloseHandle (hObject=0x1d4) returned 1 [0068.367] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.367] SetEndOfFile (hFile=0x1b8) returned 1 [0068.368] CloseHandle (hObject=0x1b8) returned 1 [0068.368] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.368] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0068.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.369] lstrlenW (lpString=".doc") returned 4 [0068.369] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString=".docx") returned 5 [0068.369] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.369] lstrlenW (lpString=".pdf") returned 4 [0068.369] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString=".xls") returned 4 [0068.369] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString=".xlsx") returned 5 [0068.369] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.369] lstrlenW (lpString=".ppt") returned 4 [0068.369] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.369] lstrlenW (lpString=".zip") returned 4 [0068.369] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.369] lstrlenW (lpString=".rar") returned 4 [0068.369] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString=".bz2") returned 4 [0068.369] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString=".7z") returned 3 [0068.369] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.369] lstrlenW (lpString=".dbf") returned 4 [0068.369] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.369] lstrlenW (lpString=".1cd") returned 4 [0068.370] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.370] lstrlenW (lpString=".jpg") returned 4 [0068.370] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.370] lstrlenW (lpString=".doc") returned 4 [0068.370] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString=".docx") returned 5 [0068.370] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.370] lstrlenW (lpString=".pdf") returned 4 [0068.370] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString=".xls") returned 4 [0068.370] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString=".xlsx") returned 5 [0068.370] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.370] lstrlenW (lpString=".ppt") returned 4 [0068.370] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.370] lstrlenW (lpString=".zip") returned 4 [0068.370] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.370] lstrlenW (lpString=".rar") returned 4 [0068.370] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString=".bz2") returned 4 [0068.370] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.370] lstrlenW (lpString=".7z") returned 3 [0068.370] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.371] lstrlenW (lpString=".dbf") returned 4 [0068.371] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.371] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.371] lstrlenW (lpString=".1cd") returned 4 [0068.371] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.371] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.371] lstrlenW (lpString=".jpg") returned 4 [0068.371] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.371] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.371] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0068.371] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.605] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=913) returned 1 [0069.605] CloseHandle (hObject=0x1c8) returned 1 [0069.605] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0069.605] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.605] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.605] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.606] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.606] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.606] GetLastError () returned 0x0 [0069.606] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x391, lpOverlapped=0x0) returned 1 [0069.660] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0069.661] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.661] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0069.661] SetEndOfFile (hFile=0x204) returned 1 [0069.661] CloseHandle (hObject=0x204) returned 1 [0069.663] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.663] SetEndOfFile (hFile=0x1c8) returned 1 [0069.664] CloseHandle (hObject=0x1c8) returned 1 [0069.664] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.665] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0069.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.665] lstrlenW (lpString=".doc") returned 4 [0069.665] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString=".docx") returned 5 [0069.665] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.665] lstrlenW (lpString=".pdf") returned 4 [0069.665] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString=".xls") returned 4 [0069.665] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString=".xlsx") returned 5 [0069.665] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.665] lstrlenW (lpString=".ppt") returned 4 [0069.665] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.665] lstrlenW (lpString=".zip") returned 4 [0069.665] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.665] lstrlenW (lpString=".rar") returned 4 [0069.665] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString=".bz2") returned 4 [0069.665] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.665] lstrlenW (lpString=".7z") returned 3 [0069.665] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString=".dbf") returned 4 [0069.666] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString=".1cd") returned 4 [0069.666] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString=".jpg") returned 4 [0069.666] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString=".doc") returned 4 [0069.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString=".docx") returned 5 [0069.666] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.666] lstrlenW (lpString=".pdf") returned 4 [0069.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString=".xls") returned 4 [0069.666] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString=".xlsx") returned 5 [0069.666] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.666] lstrlenW (lpString=".ppt") returned 4 [0069.666] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.666] lstrlenW (lpString=".zip") returned 4 [0069.666] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.666] lstrlenW (lpString=".rar") returned 4 [0069.666] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString=".bz2") returned 4 [0069.666] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.666] lstrlenW (lpString=".7z") returned 3 [0069.666] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.667] lstrlenW (lpString=".dbf") returned 4 [0069.667] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.667] lstrlenW (lpString=".1cd") returned 4 [0069.667] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0069.667] lstrlenW (lpString=".jpg") returned 4 [0069.667] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.667] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.667] lstrlenW (lpString="Setup.xml") returned 9 [0069.667] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.786] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=9352) returned 1 [0069.787] CloseHandle (hObject=0x1f0) returned 1 [0069.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0069.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.787] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.787] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0069.788] GetLastError () returned 0x0 [0069.788] ReadFile (in: hFile=0x1f0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x2488, lpOverlapped=0x0) returned 1 [0070.594] WriteFile (in: hFile=0x1f4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0070.596] ReadFile (in: hFile=0x1f0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.596] WriteFile (in: hFile=0x1f4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0070.596] SetEndOfFile (hFile=0x1f4) returned 1 [0070.596] CloseHandle (hObject=0x1f4) returned 1 [0070.597] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.597] SetEndOfFile (hFile=0x1f0) returned 1 [0070.599] CloseHandle (hObject=0x1f0) returned 1 [0070.599] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.599] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0070.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.599] lstrlenW (lpString=".doc") returned 4 [0070.599] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.599] lstrlenW (lpString=".docx") returned 5 [0070.599] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.599] lstrlenW (lpString=".pdf") returned 4 [0070.599] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString=".xls") returned 4 [0070.600] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString=".xlsx") returned 5 [0070.600] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.600] lstrlenW (lpString=".ppt") returned 4 [0070.600] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.600] lstrlenW (lpString=".zip") returned 4 [0070.600] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.600] lstrlenW (lpString=".rar") returned 4 [0070.600] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString=".bz2") returned 4 [0070.600] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString=".7z") returned 3 [0070.600] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.600] lstrlenW (lpString=".dbf") returned 4 [0070.600] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.600] lstrlenW (lpString=".1cd") returned 4 [0070.600] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.600] lstrlenW (lpString=".jpg") returned 4 [0070.600] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.601] lstrlenW (lpString=".doc") returned 4 [0070.601] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString=".docx") returned 5 [0070.601] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0070.601] lstrlenW (lpString=".pdf") returned 4 [0070.601] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString=".xls") returned 4 [0070.601] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString=".xlsx") returned 5 [0070.601] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0070.601] lstrlenW (lpString=".ppt") returned 4 [0070.601] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.601] lstrlenW (lpString=".zip") returned 4 [0070.601] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.601] lstrlenW (lpString=".rar") returned 4 [0070.601] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString=".bz2") returned 4 [0070.601] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.601] lstrlenW (lpString=".7z") returned 3 [0070.601] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.601] lstrlenW (lpString=".dbf") returned 4 [0070.602] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.602] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.602] lstrlenW (lpString=".1cd") returned 4 [0070.602] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.602] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0070.602] lstrlenW (lpString=".jpg") returned 4 [0070.602] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.602] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.602] lstrlenW (lpString="Office32WW.xml") returned 14 [0070.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.617] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=4274) returned 1 [0070.617] CloseHandle (hObject=0x164) returned 1 [0070.617] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0070.617] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.617] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.617] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.617] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.617] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0070.618] GetLastError () returned 0x0 [0070.618] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0070.734] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0070.735] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.735] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0070.735] SetEndOfFile (hFile=0x1e4) returned 1 [0070.735] CloseHandle (hObject=0x1e4) returned 1 [0070.736] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.736] SetEndOfFile (hFile=0x164) returned 1 [0070.738] CloseHandle (hObject=0x164) returned 1 [0070.738] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.738] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0070.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.738] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.738] lstrlenW (lpString=".doc") returned 4 [0070.738] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.738] lstrlenW (lpString=".docx") returned 5 [0070.738] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.738] lstrlenW (lpString=".pdf") returned 4 [0070.738] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.738] lstrlenW (lpString=".xls") returned 4 [0070.739] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString=".xlsx") returned 5 [0070.739] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.739] lstrlenW (lpString=".ppt") returned 4 [0070.739] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString=".zip") returned 4 [0070.739] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.739] lstrlenW (lpString=".rar") returned 4 [0070.739] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString=".bz2") returned 4 [0070.739] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString=".7z") returned 3 [0070.739] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString=".dbf") returned 4 [0070.739] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString=".1cd") returned 4 [0070.739] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString=".jpg") returned 4 [0070.739] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.739] lstrlenW (lpString=".doc") returned 4 [0070.739] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0070.739] lstrlenW (lpString=".docx") returned 5 [0070.740] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0070.740] lstrlenW (lpString=".pdf") returned 4 [0070.740] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString=".xls") returned 4 [0070.740] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString=".xlsx") returned 5 [0070.740] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0070.740] lstrlenW (lpString=".ppt") returned 4 [0070.740] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.740] lstrlenW (lpString=".zip") returned 4 [0070.740] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0070.740] lstrlenW (lpString=".rar") returned 4 [0070.740] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString=".bz2") returned 4 [0070.740] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString=".7z") returned 3 [0070.740] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0070.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.740] lstrlenW (lpString=".dbf") returned 4 [0070.740] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.740] lstrlenW (lpString=".1cd") returned 4 [0070.740] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0070.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0070.740] lstrlenW (lpString=".jpg") returned 4 [0070.740] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0070.741] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0070.741] lstrlenW (lpString="Office32WW.xml") returned 14 [0070.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.742] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=4274) returned 1 [0070.742] CloseHandle (hObject=0x164) returned 1 [0070.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0070.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.742] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0070.742] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.743] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.743] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0070.743] GetLastError () returned 0x0 [0070.743] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0070.758] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0070.759] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.759] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0070.759] SetEndOfFile (hFile=0x1e4) returned 1 [0070.759] CloseHandle (hObject=0x1e4) returned 1 [0070.767] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.767] SetEndOfFile (hFile=0x164) returned 1 [0070.768] CloseHandle (hObject=0x164) returned 1 [0070.768] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.040] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0071.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.041] lstrlenW (lpString=".doc") returned 4 [0071.041] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString=".docx") returned 5 [0071.041] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.041] lstrlenW (lpString=".pdf") returned 4 [0071.041] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString=".xls") returned 4 [0071.041] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString=".xlsx") returned 5 [0071.041] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.041] lstrlenW (lpString=".ppt") returned 4 [0071.041] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.041] lstrlenW (lpString=".zip") returned 4 [0071.041] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.041] lstrlenW (lpString=".rar") returned 4 [0071.041] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString=".bz2") returned 4 [0071.041] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.041] lstrlenW (lpString=".7z") returned 3 [0071.041] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.041] lstrlenW (lpString=".dbf") returned 4 [0071.041] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.042] lstrlenW (lpString=".1cd") returned 4 [0071.042] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.042] lstrlenW (lpString=".jpg") returned 4 [0071.042] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.042] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.042] lstrlenW (lpString=".doc") returned 4 [0071.042] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString=".docx") returned 5 [0071.042] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.042] lstrlenW (lpString=".pdf") returned 4 [0071.042] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString=".xls") returned 4 [0071.042] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.042] lstrlenW (lpString=".xlsx") returned 5 [0071.042] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.042] lstrlenW (lpString=".ppt") returned 4 [0071.043] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.043] lstrlenW (lpString=".zip") returned 4 [0071.043] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.043] lstrlenW (lpString=".rar") returned 4 [0071.043] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.043] lstrlenW (lpString=".bz2") returned 4 [0071.043] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.043] lstrlenW (lpString=".7z") returned 3 [0071.043] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.043] lstrlenW (lpString=".dbf") returned 4 [0071.043] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.043] lstrlenW (lpString=".1cd") returned 4 [0071.043] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.043] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0071.043] lstrlenW (lpString=".jpg") returned 4 [0071.043] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.043] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0071.043] lstrlenW (lpString="VisiorWW.xml") returned 12 [0071.044] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0071.182] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=8723) returned 1 [0071.182] CloseHandle (hObject=0x164) returned 1 [0071.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0071.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0071.182] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.182] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0071.182] GetLastError () returned 0x0 [0071.182] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x2213, lpOverlapped=0x0) returned 1 [0071.185] WriteFile (in: hFile=0x1f4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0071.186] ReadFile (in: hFile=0x164, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0071.186] WriteFile (in: hFile=0x1f4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0071.186] SetEndOfFile (hFile=0x1f4) returned 1 [0071.186] CloseHandle (hObject=0x1f4) returned 1 [0071.187] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.187] SetEndOfFile (hFile=0x164) returned 1 [0071.188] CloseHandle (hObject=0x164) returned 1 [0071.189] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.189] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0071.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.189] lstrlenW (lpString=".doc") returned 4 [0071.189] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.189] lstrlenW (lpString=".docx") returned 5 [0071.189] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.189] lstrlenW (lpString=".pdf") returned 4 [0071.189] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.189] lstrlenW (lpString=".xls") returned 4 [0071.189] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.190] lstrlenW (lpString=".xlsx") returned 5 [0071.190] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.190] lstrlenW (lpString=".ppt") returned 4 [0071.190] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.190] lstrlenW (lpString=".zip") returned 4 [0071.190] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.190] lstrlenW (lpString=".rar") returned 4 [0071.190] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.190] lstrlenW (lpString=".bz2") returned 4 [0071.190] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.190] lstrlenW (lpString=".7z") returned 3 [0071.190] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.190] lstrlenW (lpString=".dbf") returned 4 [0071.191] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.191] lstrlenW (lpString=".1cd") returned 4 [0071.191] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.191] lstrlenW (lpString=".jpg") returned 4 [0071.191] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.191] lstrlenW (lpString=".doc") returned 4 [0071.191] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString=".docx") returned 5 [0071.191] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0071.191] lstrlenW (lpString=".pdf") returned 4 [0071.191] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString=".xls") returned 4 [0071.191] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString=".xlsx") returned 5 [0071.191] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0071.191] lstrlenW (lpString=".ppt") returned 4 [0071.191] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.191] lstrlenW (lpString=".zip") returned 4 [0071.192] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.192] lstrlenW (lpString=".rar") returned 4 [0071.192] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.192] lstrlenW (lpString=".bz2") returned 4 [0071.192] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.192] lstrlenW (lpString=".7z") returned 3 [0071.192] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.192] lstrlenW (lpString=".dbf") returned 4 [0071.192] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.192] lstrlenW (lpString=".1cd") returned 4 [0071.192] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0071.192] lstrlenW (lpString=".jpg") returned 4 [0071.192] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.220] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0071.220] lstrlenW (lpString="MS.GIF") returned 6 [0071.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.220] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1069) returned 1 [0071.220] CloseHandle (hObject=0x1e8) returned 1 [0071.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0071.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.221] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.221] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0071.222] GetLastError () returned 0x0 [0071.222] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x42d, lpOverlapped=0x0) returned 1 [0071.224] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x430, lpOverlapped=0x0) returned 1 [0071.225] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0071.225] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0071.226] SetEndOfFile (hFile=0x204) returned 1 [0071.226] CloseHandle (hObject=0x204) returned 1 [0071.227] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.227] SetEndOfFile (hFile=0x1e8) returned 1 [0071.228] CloseHandle (hObject=0x1e8) returned 1 [0071.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0071.228] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0071.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString=".doc") returned 4 [0071.229] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0071.229] lstrlenW (lpString=".docx") returned 5 [0071.229] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0071.229] lstrlenW (lpString=".pdf") returned 4 [0071.229] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString=".xls") returned 4 [0071.229] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString=".xlsx") returned 5 [0071.229] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0071.229] lstrlenW (lpString=".ppt") returned 4 [0071.229] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString=".zip") returned 4 [0071.229] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString=".rar") returned 4 [0071.229] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString=".bz2") returned 4 [0071.229] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0071.229] lstrlenW (lpString=".7z") returned 3 [0071.229] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString=".dbf") returned 4 [0071.229] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString=".1cd") returned 4 [0071.229] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.229] lstrlenW (lpString=".jpg") returned 4 [0071.229] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0071.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString=".doc") returned 4 [0071.230] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0071.230] lstrlenW (lpString=".docx") returned 5 [0071.230] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0071.230] lstrlenW (lpString=".pdf") returned 4 [0071.230] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0071.230] lstrlenW (lpString=".xls") returned 4 [0071.230] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0071.230] lstrlenW (lpString=".xlsx") returned 5 [0071.230] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0071.230] lstrlenW (lpString=".ppt") returned 4 [0071.230] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0071.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString=".zip") returned 4 [0071.230] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0071.230] lstrlenW (lpString=".rar") returned 4 [0071.230] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0071.230] lstrlenW (lpString=".bz2") returned 4 [0071.230] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0071.230] lstrlenW (lpString=".7z") returned 3 [0071.230] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0071.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString=".dbf") returned 4 [0071.230] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0071.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString=".1cd") returned 4 [0071.230] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0071.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0071.230] lstrlenW (lpString=".jpg") returned 4 [0071.230] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0071.231] lstrcmpiW (lpString1=".JPG", lpString2=".mnbzr") returned -1 [0071.231] lstrlenW (lpString="MS.JPG") returned 6 [0071.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.232] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1061) returned 1 [0071.232] CloseHandle (hObject=0x1e8) returned 1 [0071.232] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0071.232] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.232] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.232] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0071.232] GetLastError () returned 0x0 [0071.233] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x425, lpOverlapped=0x0) returned 1 [0071.234] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x430, lpOverlapped=0x0) returned 1 [0071.236] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0071.236] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0071.236] SetEndOfFile (hFile=0x204) returned 1 [0071.236] CloseHandle (hObject=0x204) returned 1 [0071.239] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.239] SetEndOfFile (hFile=0x1e8) returned 1 [0071.240] CloseHandle (hObject=0x1e8) returned 1 [0071.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0071.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0071.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.241] lstrlenW (lpString=".doc") returned 4 [0071.241] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0071.241] lstrlenW (lpString=".docx") returned 5 [0071.241] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0071.241] lstrlenW (lpString=".pdf") returned 4 [0071.241] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0071.241] lstrlenW (lpString=".xls") returned 4 [0071.241] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0071.241] lstrlenW (lpString=".xlsx") returned 5 [0071.241] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0071.241] lstrlenW (lpString=".ppt") returned 4 [0071.241] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0071.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.241] lstrlenW (lpString=".zip") returned 4 [0071.242] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0071.242] lstrlenW (lpString=".rar") returned 4 [0071.242] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0071.242] lstrlenW (lpString=".bz2") returned 4 [0071.242] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0071.242] lstrlenW (lpString=".7z") returned 3 [0071.242] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0071.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.242] lstrlenW (lpString=".dbf") returned 4 [0071.242] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0071.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.242] lstrlenW (lpString=".1cd") returned 4 [0071.242] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0071.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.242] lstrlenW (lpString=".jpg") returned 4 [0071.242] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0071.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.242] lstrlenW (lpString=".doc") returned 4 [0071.242] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0071.242] lstrlenW (lpString=".docx") returned 5 [0071.242] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0071.242] lstrlenW (lpString=".pdf") returned 4 [0071.242] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0071.242] lstrlenW (lpString=".xls") returned 4 [0071.242] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0071.242] lstrlenW (lpString=".xlsx") returned 5 [0071.243] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0071.243] lstrlenW (lpString=".ppt") returned 4 [0071.243] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0071.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.243] lstrlenW (lpString=".zip") returned 4 [0071.243] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0071.243] lstrlenW (lpString=".rar") returned 4 [0071.243] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0071.243] lstrlenW (lpString=".bz2") returned 4 [0071.243] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0071.243] lstrlenW (lpString=".7z") returned 3 [0071.243] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0071.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.243] lstrlenW (lpString=".dbf") returned 4 [0071.243] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0071.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.243] lstrlenW (lpString=".1cd") returned 4 [0071.243] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0071.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0071.243] lstrlenW (lpString=".jpg") returned 4 [0071.243] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0071.243] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0071.243] lstrlenW (lpString="MS.PNG") returned 6 [0071.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.244] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1682) returned 1 [0071.244] CloseHandle (hObject=0x1e8) returned 1 [0071.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0071.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0071.244] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.244] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0071.245] GetLastError () returned 0x0 [0071.245] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x692, lpOverlapped=0x0) returned 1 [0071.499] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0071.500] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0071.501] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0071.501] SetEndOfFile (hFile=0x204) returned 1 [0071.501] CloseHandle (hObject=0x204) returned 1 [0071.502] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.502] SetEndOfFile (hFile=0x1e8) returned 1 [0071.503] CloseHandle (hObject=0x1e8) returned 1 [0071.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0071.504] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0071.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.504] lstrlenW (lpString=".doc") returned 4 [0071.504] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0071.504] lstrlenW (lpString=".docx") returned 5 [0071.505] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0071.505] lstrlenW (lpString=".pdf") returned 4 [0071.505] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0071.505] lstrlenW (lpString=".xls") returned 4 [0071.505] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0071.505] lstrlenW (lpString=".xlsx") returned 5 [0071.505] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0071.505] lstrlenW (lpString=".ppt") returned 4 [0071.505] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0071.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.505] lstrlenW (lpString=".zip") returned 4 [0071.505] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0071.505] lstrlenW (lpString=".rar") returned 4 [0071.505] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0071.505] lstrlenW (lpString=".bz2") returned 4 [0071.505] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0071.505] lstrlenW (lpString=".7z") returned 3 [0071.505] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0071.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.505] lstrlenW (lpString=".dbf") returned 4 [0071.505] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0071.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.505] lstrlenW (lpString=".1cd") returned 4 [0071.505] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0071.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.505] lstrlenW (lpString=".jpg") returned 4 [0071.505] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0071.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.506] lstrlenW (lpString=".doc") returned 4 [0071.506] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0071.506] lstrlenW (lpString=".docx") returned 5 [0071.506] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0071.506] lstrlenW (lpString=".pdf") returned 4 [0071.506] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0071.506] lstrlenW (lpString=".xls") returned 4 [0071.506] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0071.506] lstrlenW (lpString=".xlsx") returned 5 [0071.506] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0071.506] lstrlenW (lpString=".ppt") returned 4 [0071.506] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0071.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.506] lstrlenW (lpString=".zip") returned 4 [0071.506] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0071.506] lstrlenW (lpString=".rar") returned 4 [0071.506] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0071.506] lstrlenW (lpString=".bz2") returned 4 [0071.506] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0071.506] lstrlenW (lpString=".7z") returned 3 [0071.506] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0071.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.506] lstrlenW (lpString=".dbf") returned 4 [0071.506] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0071.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.507] lstrlenW (lpString=".1cd") returned 4 [0071.507] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0071.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0071.507] lstrlenW (lpString=".jpg") returned 4 [0071.507] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0071.507] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.507] lstrlenW (lpString="boxed-delete.avi") returned 16 [0071.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.783] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=31744) returned 1 [0071.783] CloseHandle (hObject=0x1ec) returned 1 [0071.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0071.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.783] lstrlenW (lpString=".doc") returned 4 [0071.783] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.783] lstrlenW (lpString=".docx") returned 5 [0071.783] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0071.783] lstrlenW (lpString=".pdf") returned 4 [0071.783] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.783] lstrlenW (lpString=".xls") returned 4 [0071.783] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".xlsx") returned 5 [0071.784] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0071.784] lstrlenW (lpString=".ppt") returned 4 [0071.784] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString=".zip") returned 4 [0071.784] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".rar") returned 4 [0071.784] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".bz2") returned 4 [0071.784] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".7z") returned 3 [0071.784] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString=".dbf") returned 4 [0071.784] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString=".1cd") returned 4 [0071.784] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString=".jpg") returned 4 [0071.784] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.784] lstrlenW (lpString=".doc") returned 4 [0071.784] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".docx") returned 5 [0071.784] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0071.784] lstrlenW (lpString=".pdf") returned 4 [0071.784] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".xls") returned 4 [0071.784] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.784] lstrlenW (lpString=".xlsx") returned 5 [0071.785] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0071.785] lstrlenW (lpString=".ppt") returned 4 [0071.785] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.785] lstrlenW (lpString=".zip") returned 4 [0071.785] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.785] lstrlenW (lpString=".rar") returned 4 [0071.785] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.785] lstrlenW (lpString=".bz2") returned 4 [0071.785] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.785] lstrlenW (lpString=".7z") returned 3 [0071.785] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.785] lstrlenW (lpString=".dbf") returned 4 [0071.785] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.785] lstrlenW (lpString=".1cd") returned 4 [0071.785] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0071.785] lstrlenW (lpString=".jpg") returned 4 [0071.785] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.785] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0071.785] lstrlenW (lpString="auxbase.xml") returned 11 [0071.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.023] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1434) returned 1 [0072.023] CloseHandle (hObject=0x1ec) returned 1 [0072.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0072.023] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.023] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.023] lstrlenW (lpString=".doc") returned 4 [0072.024] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString=".docx") returned 5 [0072.024] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.024] lstrlenW (lpString=".pdf") returned 4 [0072.024] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString=".xls") returned 4 [0072.024] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString=".xlsx") returned 5 [0072.024] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.024] lstrlenW (lpString=".ppt") returned 4 [0072.024] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.024] lstrlenW (lpString=".zip") returned 4 [0072.024] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.024] lstrlenW (lpString=".rar") returned 4 [0072.024] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString=".bz2") returned 4 [0072.024] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString=".7z") returned 3 [0072.024] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.024] lstrlenW (lpString=".dbf") returned 4 [0072.024] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.024] lstrlenW (lpString=".1cd") returned 4 [0072.024] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.025] lstrlenW (lpString=".jpg") returned 4 [0072.025] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.025] lstrlenW (lpString=".doc") returned 4 [0072.025] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString=".docx") returned 5 [0072.025] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.025] lstrlenW (lpString=".pdf") returned 4 [0072.025] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString=".xls") returned 4 [0072.025] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString=".xlsx") returned 5 [0072.025] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.025] lstrlenW (lpString=".ppt") returned 4 [0072.025] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.025] lstrlenW (lpString=".zip") returned 4 [0072.025] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.025] lstrlenW (lpString=".rar") returned 4 [0072.025] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString=".bz2") returned 4 [0072.025] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.025] lstrlenW (lpString=".7z") returned 3 [0072.025] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.026] lstrlenW (lpString=".dbf") returned 4 [0072.026] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.026] lstrlenW (lpString=".1cd") returned 4 [0072.026] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0072.026] lstrlenW (lpString=".jpg") returned 4 [0072.026] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.026] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.026] lstrlenW (lpString="auxpad.xml") returned 10 [0072.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.207] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=212) returned 1 [0072.207] CloseHandle (hObject=0x1ec) returned 1 [0072.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0072.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.208] lstrlenW (lpString=".doc") returned 4 [0072.208] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString=".docx") returned 5 [0072.208] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.208] lstrlenW (lpString=".pdf") returned 4 [0072.208] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString=".xls") returned 4 [0072.208] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString=".xlsx") returned 5 [0072.208] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.208] lstrlenW (lpString=".ppt") returned 4 [0072.208] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.208] lstrlenW (lpString=".zip") returned 4 [0072.208] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.208] lstrlenW (lpString=".rar") returned 4 [0072.208] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString=".bz2") returned 4 [0072.208] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString=".7z") returned 3 [0072.208] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.208] lstrlenW (lpString=".dbf") returned 4 [0072.208] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.208] lstrlenW (lpString=".1cd") returned 4 [0072.208] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.209] lstrlenW (lpString=".jpg") returned 4 [0072.209] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.209] lstrlenW (lpString=".doc") returned 4 [0072.209] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString=".docx") returned 5 [0072.209] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0072.209] lstrlenW (lpString=".pdf") returned 4 [0072.209] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString=".xls") returned 4 [0072.209] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString=".xlsx") returned 5 [0072.209] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0072.209] lstrlenW (lpString=".ppt") returned 4 [0072.209] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.209] lstrlenW (lpString=".zip") returned 4 [0072.209] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.209] lstrlenW (lpString=".rar") returned 4 [0072.209] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString=".bz2") returned 4 [0072.209] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.209] lstrlenW (lpString=".7z") returned 3 [0072.209] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.209] lstrlenW (lpString=".dbf") returned 4 [0072.210] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.210] lstrlenW (lpString=".1cd") returned 4 [0072.210] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0072.210] lstrlenW (lpString=".jpg") returned 4 [0072.210] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.210] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.210] lstrlenW (lpString="ea.xml") returned 6 [0072.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.210] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=384) returned 1 [0072.210] CloseHandle (hObject=0x1ec) returned 1 [0072.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0072.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.211] lstrlenW (lpString=".doc") returned 4 [0072.211] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.211] lstrlenW (lpString=".docx") returned 5 [0072.211] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0072.211] lstrlenW (lpString=".pdf") returned 4 [0072.211] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.211] lstrlenW (lpString=".xls") returned 4 [0072.211] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.211] lstrlenW (lpString=".xlsx") returned 5 [0072.211] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0072.211] lstrlenW (lpString=".ppt") returned 4 [0072.211] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.211] lstrlenW (lpString=".zip") returned 4 [0072.211] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.211] lstrlenW (lpString=".rar") returned 4 [0072.211] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString=".bz2") returned 4 [0072.212] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString=".7z") returned 3 [0072.212] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.212] lstrlenW (lpString=".dbf") returned 4 [0072.212] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.212] lstrlenW (lpString=".1cd") returned 4 [0072.212] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.212] lstrlenW (lpString=".jpg") returned 4 [0072.212] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.212] lstrlenW (lpString=".doc") returned 4 [0072.212] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString=".docx") returned 5 [0072.212] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0072.212] lstrlenW (lpString=".pdf") returned 4 [0072.212] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString=".xls") returned 4 [0072.212] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.212] lstrlenW (lpString=".xlsx") returned 5 [0072.212] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0072.212] lstrlenW (lpString=".ppt") returned 4 [0072.213] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.213] lstrlenW (lpString=".zip") returned 4 [0072.213] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.213] lstrlenW (lpString=".rar") returned 4 [0072.213] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.213] lstrlenW (lpString=".bz2") returned 4 [0072.213] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.213] lstrlenW (lpString=".7z") returned 3 [0072.213] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.213] lstrlenW (lpString=".dbf") returned 4 [0072.213] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.213] lstrlenW (lpString=".1cd") returned 4 [0072.213] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0072.213] lstrlenW (lpString=".jpg") returned 4 [0072.213] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.213] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.213] lstrlenW (lpString="keypadbase.xml") returned 14 [0072.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.678] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1118) returned 1 [0072.678] CloseHandle (hObject=0x1ec) returned 1 [0072.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0072.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.679] lstrlenW (lpString=".doc") returned 4 [0072.679] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString=".docx") returned 5 [0072.679] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.679] lstrlenW (lpString=".pdf") returned 4 [0072.679] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString=".xls") returned 4 [0072.679] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString=".xlsx") returned 5 [0072.679] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.679] lstrlenW (lpString=".ppt") returned 4 [0072.679] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.679] lstrlenW (lpString=".zip") returned 4 [0072.679] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.679] lstrlenW (lpString=".rar") returned 4 [0072.679] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString=".bz2") returned 4 [0072.679] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.679] lstrlenW (lpString=".7z") returned 3 [0072.679] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.679] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.679] lstrlenW (lpString=".dbf") returned 4 [0072.680] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.680] lstrlenW (lpString=".1cd") returned 4 [0072.680] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.680] lstrlenW (lpString=".jpg") returned 4 [0072.680] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.680] lstrlenW (lpString=".doc") returned 4 [0072.680] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString=".docx") returned 5 [0072.680] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0072.680] lstrlenW (lpString=".pdf") returned 4 [0072.680] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString=".xls") returned 4 [0072.680] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString=".xlsx") returned 5 [0072.680] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0072.680] lstrlenW (lpString=".ppt") returned 4 [0072.680] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0072.680] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.680] lstrlenW (lpString=".zip") returned 4 [0072.680] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0072.681] lstrlenW (lpString=".rar") returned 4 [0072.681] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0072.681] lstrlenW (lpString=".bz2") returned 4 [0072.681] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0072.681] lstrlenW (lpString=".7z") returned 3 [0072.681] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0072.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.681] lstrlenW (lpString=".dbf") returned 4 [0072.681] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0072.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.681] lstrlenW (lpString=".1cd") returned 4 [0072.681] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0072.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0072.681] lstrlenW (lpString=".jpg") returned 4 [0072.681] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0072.681] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0072.681] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0072.682] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0073.019] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=247) returned 1 [0073.019] CloseHandle (hObject=0x1c8) returned 1 [0073.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0073.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.019] lstrlenW (lpString=".doc") returned 4 [0073.020] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString=".docx") returned 5 [0073.020] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0073.020] lstrlenW (lpString=".pdf") returned 4 [0073.020] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString=".xls") returned 4 [0073.020] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString=".xlsx") returned 5 [0073.020] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0073.020] lstrlenW (lpString=".ppt") returned 4 [0073.020] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.020] lstrlenW (lpString=".zip") returned 4 [0073.020] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0073.020] lstrlenW (lpString=".rar") returned 4 [0073.020] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString=".bz2") returned 4 [0073.020] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString=".7z") returned 3 [0073.020] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0073.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.020] lstrlenW (lpString=".dbf") returned 4 [0073.020] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.020] lstrlenW (lpString=".1cd") returned 4 [0073.020] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0073.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.020] lstrlenW (lpString=".jpg") returned 4 [0073.020] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString=".doc") returned 4 [0073.021] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString=".docx") returned 5 [0073.021] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0073.021] lstrlenW (lpString=".pdf") returned 4 [0073.021] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString=".xls") returned 4 [0073.021] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString=".xlsx") returned 5 [0073.021] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0073.021] lstrlenW (lpString=".ppt") returned 4 [0073.021] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString=".zip") returned 4 [0073.021] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0073.021] lstrlenW (lpString=".rar") returned 4 [0073.021] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString=".bz2") returned 4 [0073.021] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString=".7z") returned 3 [0073.021] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString=".dbf") returned 4 [0073.021] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString=".1cd") returned 4 [0073.021] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0073.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0073.021] lstrlenW (lpString=".jpg") returned 4 [0073.021] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0073.022] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.022] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0073.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0073.022] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1565) returned 1 [0073.022] CloseHandle (hObject=0x1c8) returned 1 [0073.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0073.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0073.022] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.023] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0073.963] GetLastError () returned 0x0 [0073.963] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x61d, lpOverlapped=0x0) returned 1 [0074.142] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x620, lpOverlapped=0x0) returned 1 [0074.144] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.144] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0074.144] SetEndOfFile (hFile=0x1b0) returned 1 [0074.144] CloseHandle (hObject=0x1b0) returned 1 [0074.149] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.149] SetEndOfFile (hFile=0x1c8) returned 1 [0074.150] CloseHandle (hObject=0x1c8) returned 1 [0074.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.151] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0074.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.151] lstrlenW (lpString=".doc") returned 4 [0074.151] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.151] lstrlenW (lpString=".docx") returned 5 [0074.151] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0074.151] lstrlenW (lpString=".pdf") returned 4 [0074.151] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.151] lstrlenW (lpString=".xls") returned 4 [0074.151] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.151] lstrlenW (lpString=".xlsx") returned 5 [0074.151] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0074.151] lstrlenW (lpString=".ppt") returned 4 [0074.151] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.151] lstrlenW (lpString=".zip") returned 4 [0074.151] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.152] lstrlenW (lpString=".rar") returned 4 [0074.152] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString=".bz2") returned 4 [0074.152] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString=".7z") returned 3 [0074.152] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.152] lstrlenW (lpString=".dbf") returned 4 [0074.152] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.152] lstrlenW (lpString=".1cd") returned 4 [0074.152] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.152] lstrlenW (lpString=".jpg") returned 4 [0074.152] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.152] lstrlenW (lpString=".doc") returned 4 [0074.152] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.152] lstrlenW (lpString=".docx") returned 5 [0074.153] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0074.153] lstrlenW (lpString=".pdf") returned 4 [0074.153] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.153] lstrlenW (lpString=".xls") returned 4 [0074.153] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.153] lstrlenW (lpString=".xlsx") returned 5 [0074.153] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0074.153] lstrlenW (lpString=".ppt") returned 4 [0074.153] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.153] lstrlenW (lpString=".zip") returned 4 [0074.153] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.153] lstrlenW (lpString=".rar") returned 4 [0074.153] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.153] lstrlenW (lpString=".bz2") returned 4 [0074.153] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.153] lstrlenW (lpString=".7z") returned 3 [0074.153] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.154] lstrlenW (lpString=".dbf") returned 4 [0074.154] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.154] lstrlenW (lpString=".1cd") returned 4 [0074.154] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0074.154] lstrlenW (lpString=".jpg") returned 4 [0074.154] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.310] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0074.310] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0074.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.314] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=5557) returned 1 [0074.314] CloseHandle (hObject=0x1c8) returned 1 [0074.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0074.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.315] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.315] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0074.315] GetLastError () returned 0x0 [0074.315] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0074.344] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0074.357] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.357] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0074.357] SetEndOfFile (hFile=0x1b0) returned 1 [0074.357] CloseHandle (hObject=0x1b0) returned 1 [0074.358] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.358] SetEndOfFile (hFile=0x1c8) returned 1 [0074.360] CloseHandle (hObject=0x1c8) returned 1 [0074.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.360] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0074.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.361] lstrlenW (lpString=".doc") returned 4 [0074.361] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString=".docx") returned 5 [0074.361] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0074.361] lstrlenW (lpString=".pdf") returned 4 [0074.361] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString=".xls") returned 4 [0074.361] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString=".xlsx") returned 5 [0074.361] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0074.361] lstrlenW (lpString=".ppt") returned 4 [0074.361] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.361] lstrlenW (lpString=".zip") returned 4 [0074.361] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.361] lstrlenW (lpString=".rar") returned 4 [0074.361] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString=".bz2") returned 4 [0074.361] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString=".7z") returned 3 [0074.361] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.361] lstrlenW (lpString=".dbf") returned 4 [0074.361] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.361] lstrlenW (lpString=".1cd") returned 4 [0074.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.362] lstrlenW (lpString=".jpg") returned 4 [0074.362] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.362] lstrlenW (lpString=".doc") returned 4 [0074.362] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString=".docx") returned 5 [0074.362] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0074.362] lstrlenW (lpString=".pdf") returned 4 [0074.362] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString=".xls") returned 4 [0074.362] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString=".xlsx") returned 5 [0074.362] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0074.362] lstrlenW (lpString=".ppt") returned 4 [0074.362] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.362] lstrlenW (lpString=".zip") returned 4 [0074.362] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.362] lstrlenW (lpString=".rar") returned 4 [0074.362] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString=".bz2") returned 4 [0074.362] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.362] lstrlenW (lpString=".7z") returned 3 [0074.362] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.363] lstrlenW (lpString=".dbf") returned 4 [0074.363] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.363] lstrlenW (lpString=".1cd") returned 4 [0074.363] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0074.363] lstrlenW (lpString=".jpg") returned 4 [0074.363] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.363] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0074.363] lstrlenW (lpString="PSS10O.CHM") returned 10 [0074.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.363] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=26929) returned 1 [0074.364] CloseHandle (hObject=0x1c8) returned 1 [0074.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0074.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.364] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.364] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0074.364] GetLastError () returned 0x0 [0074.365] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x6931, lpOverlapped=0x0) returned 1 [0074.373] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x6940, lpOverlapped=0x0) returned 1 [0074.375] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.375] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0074.375] SetEndOfFile (hFile=0x1b0) returned 1 [0074.375] CloseHandle (hObject=0x1b0) returned 1 [0074.377] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.377] SetEndOfFile (hFile=0x1c8) returned 1 [0074.378] CloseHandle (hObject=0x1c8) returned 1 [0074.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.379] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0074.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.379] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.379] lstrlenW (lpString=".doc") returned 4 [0074.379] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.379] lstrlenW (lpString=".docx") returned 5 [0074.379] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0074.379] lstrlenW (lpString=".pdf") returned 4 [0074.379] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.379] lstrlenW (lpString=".xls") returned 4 [0074.379] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString=".xlsx") returned 5 [0074.380] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0074.380] lstrlenW (lpString=".ppt") returned 4 [0074.380] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString=".zip") returned 4 [0074.380] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString=".rar") returned 4 [0074.380] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString=".bz2") returned 4 [0074.380] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.380] lstrlenW (lpString=".7z") returned 3 [0074.380] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString=".dbf") returned 4 [0074.380] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString=".1cd") returned 4 [0074.380] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString=".jpg") returned 4 [0074.380] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.380] lstrlenW (lpString=".doc") returned 4 [0074.381] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString=".docx") returned 5 [0074.381] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0074.381] lstrlenW (lpString=".pdf") returned 4 [0074.381] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString=".xls") returned 4 [0074.381] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString=".xlsx") returned 5 [0074.381] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0074.381] lstrlenW (lpString=".ppt") returned 4 [0074.381] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.381] lstrlenW (lpString=".zip") returned 4 [0074.381] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString=".rar") returned 4 [0074.381] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString=".bz2") returned 4 [0074.381] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.381] lstrlenW (lpString=".7z") returned 3 [0074.381] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.381] lstrlenW (lpString=".dbf") returned 4 [0074.381] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.381] lstrlenW (lpString=".1cd") returned 4 [0074.381] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.381] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0074.382] lstrlenW (lpString=".jpg") returned 4 [0074.382] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.382] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0074.382] lstrlenW (lpString="PSS10R.CHM") returned 10 [0074.382] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.383] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=27195) returned 1 [0074.383] CloseHandle (hObject=0x1c8) returned 1 [0074.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0074.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.384] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.384] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0074.384] GetLastError () returned 0x0 [0074.384] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0074.398] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0074.400] ReadFile (in: hFile=0x1c8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.400] WriteFile (in: hFile=0x1b0, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0074.400] SetEndOfFile (hFile=0x1b0) returned 1 [0074.400] CloseHandle (hObject=0x1b0) returned 1 [0074.401] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.401] SetEndOfFile (hFile=0x1c8) returned 1 [0074.402] CloseHandle (hObject=0x1c8) returned 1 [0074.402] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.403] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0074.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.403] lstrlenW (lpString=".doc") returned 4 [0074.403] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.403] lstrlenW (lpString=".docx") returned 5 [0074.403] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0074.403] lstrlenW (lpString=".pdf") returned 4 [0074.403] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.403] lstrlenW (lpString=".xls") returned 4 [0074.403] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.403] lstrlenW (lpString=".xlsx") returned 5 [0074.403] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0074.403] lstrlenW (lpString=".ppt") returned 4 [0074.583] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".zip") returned 4 [0074.584] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString=".rar") returned 4 [0074.584] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString=".bz2") returned 4 [0074.584] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.584] lstrlenW (lpString=".7z") returned 3 [0074.584] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".dbf") returned 4 [0074.584] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".1cd") returned 4 [0074.584] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".jpg") returned 4 [0074.584] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".doc") returned 4 [0074.584] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString=".docx") returned 5 [0074.584] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0074.584] lstrlenW (lpString=".pdf") returned 4 [0074.584] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString=".xls") returned 4 [0074.584] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString=".xlsx") returned 5 [0074.584] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0074.584] lstrlenW (lpString=".ppt") returned 4 [0074.584] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.584] lstrlenW (lpString=".zip") returned 4 [0074.585] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.585] lstrlenW (lpString=".rar") returned 4 [0074.585] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.585] lstrlenW (lpString=".bz2") returned 4 [0074.585] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.585] lstrlenW (lpString=".7z") returned 3 [0074.585] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.585] lstrlenW (lpString=".dbf") returned 4 [0074.585] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.585] lstrlenW (lpString=".1cd") returned 4 [0074.585] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0074.585] lstrlenW (lpString=".jpg") returned 4 [0074.585] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.585] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0074.585] lstrlenW (lpString="SETUP.XML") returned 9 [0074.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0075.437] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2362) returned 1 [0075.437] CloseHandle (hObject=0x1cc) returned 1 [0075.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0075.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0075.438] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.438] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0075.439] GetLastError () returned 0x0 [0075.439] ReadFile (in: hFile=0x1cc, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x93a, lpOverlapped=0x0) returned 1 [0075.654] WriteFile (in: hFile=0x1c8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x940, lpOverlapped=0x0) returned 1 [0075.655] ReadFile (in: hFile=0x1cc, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0075.655] WriteFile (in: hFile=0x1c8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0075.655] SetEndOfFile (hFile=0x1c8) returned 1 [0075.655] CloseHandle (hObject=0x1c8) returned 1 [0075.657] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.657] SetEndOfFile (hFile=0x1cc) returned 1 [0075.658] CloseHandle (hObject=0x1cc) returned 1 [0075.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.658] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0075.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.659] lstrlenW (lpString=".doc") returned 4 [0075.659] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString=".docx") returned 5 [0075.659] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.659] lstrlenW (lpString=".pdf") returned 4 [0075.659] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString=".xls") returned 4 [0075.659] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString=".xlsx") returned 5 [0075.659] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.659] lstrlenW (lpString=".ppt") returned 4 [0075.659] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.659] lstrlenW (lpString=".zip") returned 4 [0075.659] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.659] lstrlenW (lpString=".rar") returned 4 [0075.659] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString=".bz2") returned 4 [0075.659] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString=".7z") returned 3 [0075.659] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.659] lstrlenW (lpString=".dbf") returned 4 [0075.659] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.659] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.659] lstrlenW (lpString=".1cd") returned 4 [0075.659] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.660] lstrlenW (lpString=".jpg") returned 4 [0075.660] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.660] lstrlenW (lpString=".doc") returned 4 [0075.660] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString=".docx") returned 5 [0075.660] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0075.660] lstrlenW (lpString=".pdf") returned 4 [0075.660] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString=".xls") returned 4 [0075.660] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString=".xlsx") returned 5 [0075.660] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0075.660] lstrlenW (lpString=".ppt") returned 4 [0075.660] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.660] lstrlenW (lpString=".zip") returned 4 [0075.660] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.660] lstrlenW (lpString=".rar") returned 4 [0075.660] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString=".bz2") returned 4 [0075.660] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.660] lstrlenW (lpString=".7z") returned 3 [0075.660] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.660] lstrlenW (lpString=".dbf") returned 4 [0075.660] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.661] lstrlenW (lpString=".1cd") returned 4 [0075.661] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0075.661] lstrlenW (lpString=".jpg") returned 4 [0075.661] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.661] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.661] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0075.661] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0075.661] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3186) returned 1 [0075.661] CloseHandle (hObject=0x1cc) returned 1 [0075.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0075.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0075.662] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.662] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0075.748] GetLastError () returned 0x0 [0075.748] ReadFile (in: hFile=0x1cc, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xc72, lpOverlapped=0x0) returned 1 [0075.780] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0075.782] ReadFile (in: hFile=0x1cc, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0075.782] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0075.782] SetEndOfFile (hFile=0x204) returned 1 [0075.782] CloseHandle (hObject=0x204) returned 1 [0075.783] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.783] SetEndOfFile (hFile=0x1cc) returned 1 [0075.784] CloseHandle (hObject=0x1cc) returned 1 [0075.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.784] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0075.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.785] lstrlenW (lpString=".doc") returned 4 [0075.785] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString=".docx") returned 5 [0075.785] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.785] lstrlenW (lpString=".pdf") returned 4 [0075.785] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString=".xls") returned 4 [0075.785] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString=".xlsx") returned 5 [0075.785] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.785] lstrlenW (lpString=".ppt") returned 4 [0075.785] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.785] lstrlenW (lpString=".zip") returned 4 [0075.785] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.785] lstrlenW (lpString=".rar") returned 4 [0075.785] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString=".bz2") returned 4 [0075.785] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.785] lstrlenW (lpString=".7z") returned 3 [0075.785] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString=".dbf") returned 4 [0075.786] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString=".1cd") returned 4 [0075.786] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString=".jpg") returned 4 [0075.786] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString=".doc") returned 4 [0075.786] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString=".docx") returned 5 [0075.786] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.786] lstrlenW (lpString=".pdf") returned 4 [0075.786] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString=".xls") returned 4 [0075.786] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString=".xlsx") returned 5 [0075.786] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.786] lstrlenW (lpString=".ppt") returned 4 [0075.786] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.786] lstrlenW (lpString=".zip") returned 4 [0075.786] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.786] lstrlenW (lpString=".rar") returned 4 [0075.787] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.787] lstrlenW (lpString=".bz2") returned 4 [0075.787] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.787] lstrlenW (lpString=".7z") returned 3 [0075.787] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.787] lstrlenW (lpString=".dbf") returned 4 [0075.787] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.787] lstrlenW (lpString=".1cd") returned 4 [0075.787] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0075.787] lstrlenW (lpString=".jpg") returned 4 [0075.787] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.886] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.886] lstrlenW (lpString="SETUP.XML") returned 9 [0075.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0075.893] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=4207) returned 1 [0075.893] CloseHandle (hObject=0x210) returned 1 [0075.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0075.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0075.894] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.894] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.894] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0075.894] GetLastError () returned 0x0 [0075.894] ReadFile (in: hFile=0x210, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x106f, lpOverlapped=0x0) returned 1 [0077.461] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0077.463] ReadFile (in: hFile=0x210, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.463] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.463] SetEndOfFile (hFile=0x1b8) returned 1 [0077.463] CloseHandle (hObject=0x1b8) returned 1 [0077.465] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.465] SetEndOfFile (hFile=0x210) returned 1 [0077.466] CloseHandle (hObject=0x210) returned 1 [0077.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.466] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0077.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString=".doc") returned 4 [0077.467] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString=".docx") returned 5 [0077.467] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0077.467] lstrlenW (lpString=".pdf") returned 4 [0077.467] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString=".xls") returned 4 [0077.467] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString=".xlsx") returned 5 [0077.467] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0077.467] lstrlenW (lpString=".ppt") returned 4 [0077.467] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString=".zip") returned 4 [0077.467] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.467] lstrlenW (lpString=".rar") returned 4 [0077.467] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString=".bz2") returned 4 [0077.467] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString=".7z") returned 3 [0077.467] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString=".dbf") returned 4 [0077.467] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString=".1cd") returned 4 [0077.467] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString=".jpg") returned 4 [0077.467] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.468] lstrlenW (lpString=".doc") returned 4 [0077.468] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString=".docx") returned 5 [0077.468] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0077.468] lstrlenW (lpString=".pdf") returned 4 [0077.468] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString=".xls") returned 4 [0077.468] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString=".xlsx") returned 5 [0077.468] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0077.468] lstrlenW (lpString=".ppt") returned 4 [0077.468] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.468] lstrlenW (lpString=".zip") returned 4 [0077.468] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.468] lstrlenW (lpString=".rar") returned 4 [0077.468] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString=".bz2") returned 4 [0077.468] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString=".7z") returned 3 [0077.468] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.468] lstrlenW (lpString=".dbf") returned 4 [0077.468] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.468] lstrlenW (lpString=".1cd") returned 4 [0077.468] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0077.468] lstrlenW (lpString=".jpg") returned 4 [0077.468] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.469] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.469] lstrlenW (lpString="SETUP.XML") returned 9 [0077.469] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0077.779] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=16683) returned 1 [0077.780] CloseHandle (hObject=0x208) returned 1 [0077.780] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0077.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0077.801] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.801] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0078.260] GetLastError () returned 0x0 [0078.260] ReadFile (in: hFile=0x210, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x412b, lpOverlapped=0x0) returned 1 [0078.285] WriteFile (in: hFile=0x1c8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0078.286] ReadFile (in: hFile=0x210, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.287] WriteFile (in: hFile=0x1c8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.287] SetEndOfFile (hFile=0x1c8) returned 1 [0078.287] CloseHandle (hObject=0x1c8) returned 1 [0078.578] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.578] SetEndOfFile (hFile=0x210) returned 1 [0078.579] CloseHandle (hObject=0x210) returned 1 [0078.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.580] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0078.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.580] lstrlenW (lpString=".doc") returned 4 [0078.580] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.580] lstrlenW (lpString=".docx") returned 5 [0078.580] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.580] lstrlenW (lpString=".pdf") returned 4 [0078.580] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.580] lstrlenW (lpString=".xls") returned 4 [0078.580] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.580] lstrlenW (lpString=".xlsx") returned 5 [0078.580] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.580] lstrlenW (lpString=".ppt") returned 4 [0078.580] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.580] lstrlenW (lpString=".zip") returned 4 [0078.580] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.580] lstrlenW (lpString=".rar") returned 4 [0078.580] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString=".bz2") returned 4 [0078.581] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString=".7z") returned 3 [0078.581] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.581] lstrlenW (lpString=".dbf") returned 4 [0078.581] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.581] lstrlenW (lpString=".1cd") returned 4 [0078.581] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.581] lstrlenW (lpString=".jpg") returned 4 [0078.581] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.581] lstrlenW (lpString=".doc") returned 4 [0078.581] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString=".docx") returned 5 [0078.581] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.581] lstrlenW (lpString=".pdf") returned 4 [0078.581] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString=".xls") returned 4 [0078.581] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.581] lstrlenW (lpString=".xlsx") returned 5 [0078.581] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.581] lstrlenW (lpString=".ppt") returned 4 [0078.581] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.582] lstrlenW (lpString=".zip") returned 4 [0078.582] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.582] lstrlenW (lpString=".rar") returned 4 [0078.582] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.582] lstrlenW (lpString=".bz2") returned 4 [0078.582] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.582] lstrlenW (lpString=".7z") returned 3 [0078.582] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.582] lstrlenW (lpString=".dbf") returned 4 [0078.582] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.582] lstrlenW (lpString=".1cd") returned 4 [0078.582] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0078.582] lstrlenW (lpString=".jpg") returned 4 [0078.582] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.582] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.582] lstrlenW (lpString="SETUP.XML") returned 9 [0078.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0078.962] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2424) returned 1 [0078.962] CloseHandle (hObject=0x1f0) returned 1 [0078.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0078.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0078.963] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.963] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.964] GetLastError () returned 0x0 [0078.964] ReadFile (in: hFile=0x1f0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x978, lpOverlapped=0x0) returned 1 [0078.966] WriteFile (in: hFile=0x208, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x980, lpOverlapped=0x0) returned 1 [0078.967] ReadFile (in: hFile=0x1f0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.967] WriteFile (in: hFile=0x208, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.967] SetEndOfFile (hFile=0x208) returned 1 [0078.967] CloseHandle (hObject=0x208) returned 1 [0078.972] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.972] SetEndOfFile (hFile=0x1f0) returned 1 [0078.973] CloseHandle (hObject=0x1f0) returned 1 [0078.973] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.973] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0078.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.974] lstrlenW (lpString=".doc") returned 4 [0078.974] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.974] lstrlenW (lpString=".docx") returned 5 [0078.974] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.974] lstrlenW (lpString=".pdf") returned 4 [0078.974] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.974] lstrlenW (lpString=".xls") returned 4 [0078.974] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.974] lstrlenW (lpString=".xlsx") returned 5 [0078.974] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.974] lstrlenW (lpString=".ppt") returned 4 [0078.974] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.975] lstrlenW (lpString=".zip") returned 4 [0078.975] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.975] lstrlenW (lpString=".rar") returned 4 [0078.975] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.975] lstrlenW (lpString=".bz2") returned 4 [0078.975] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.975] lstrlenW (lpString=".7z") returned 3 [0078.975] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.975] lstrlenW (lpString=".dbf") returned 4 [0078.975] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.975] lstrlenW (lpString=".1cd") returned 4 [0078.975] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.975] lstrlenW (lpString=".jpg") returned 4 [0078.975] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.976] lstrlenW (lpString=".doc") returned 4 [0078.976] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString=".docx") returned 5 [0078.976] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.976] lstrlenW (lpString=".pdf") returned 4 [0078.976] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString=".xls") returned 4 [0078.976] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString=".xlsx") returned 5 [0078.976] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.976] lstrlenW (lpString=".ppt") returned 4 [0078.976] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.976] lstrlenW (lpString=".zip") returned 4 [0078.976] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.976] lstrlenW (lpString=".rar") returned 4 [0078.976] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString=".bz2") returned 4 [0078.976] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.976] lstrlenW (lpString=".7z") returned 3 [0078.976] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.976] lstrlenW (lpString=".dbf") returned 4 [0078.976] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.977] lstrlenW (lpString=".1cd") returned 4 [0078.977] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0078.977] lstrlenW (lpString=".jpg") returned 4 [0078.977] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.977] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.977] lstrlenW (lpString="PHONE.XML") returned 9 [0078.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0079.521] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1844) returned 1 [0079.521] CloseHandle (hObject=0x20c) returned 1 [0079.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0079.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0079.522] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.522] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0079.522] GetLastError () returned 0x0 [0079.522] ReadFile (in: hFile=0x20c, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x734, lpOverlapped=0x0) returned 1 [0079.691] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x740, lpOverlapped=0x0) returned 1 [0079.700] ReadFile (in: hFile=0x20c, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0079.700] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0079.700] SetEndOfFile (hFile=0x1b8) returned 1 [0079.700] CloseHandle (hObject=0x1b8) returned 1 [0079.701] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.701] SetEndOfFile (hFile=0x20c) returned 1 [0079.702] CloseHandle (hObject=0x20c) returned 1 [0079.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.702] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0079.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.703] lstrlenW (lpString=".doc") returned 4 [0079.703] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.703] lstrlenW (lpString=".docx") returned 5 [0079.703] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0079.703] lstrlenW (lpString=".pdf") returned 4 [0079.703] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.703] lstrlenW (lpString=".xls") returned 4 [0079.703] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.703] lstrlenW (lpString=".xlsx") returned 5 [0079.703] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0079.703] lstrlenW (lpString=".ppt") returned 4 [0079.703] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.703] lstrlenW (lpString=".zip") returned 4 [0079.703] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.703] lstrlenW (lpString=".rar") returned 4 [0079.703] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.703] lstrlenW (lpString=".bz2") returned 4 [0079.703] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString=".7z") returned 3 [0079.704] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.704] lstrlenW (lpString=".dbf") returned 4 [0079.704] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.704] lstrlenW (lpString=".1cd") returned 4 [0079.704] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.704] lstrlenW (lpString=".jpg") returned 4 [0079.704] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.704] lstrlenW (lpString=".doc") returned 4 [0079.704] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString=".docx") returned 5 [0079.704] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0079.704] lstrlenW (lpString=".pdf") returned 4 [0079.704] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString=".xls") returned 4 [0079.704] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString=".xlsx") returned 5 [0079.704] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0079.704] lstrlenW (lpString=".ppt") returned 4 [0079.704] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.705] lstrlenW (lpString=".zip") returned 4 [0079.705] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.705] lstrlenW (lpString=".rar") returned 4 [0079.705] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.705] lstrlenW (lpString=".bz2") returned 4 [0079.705] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.705] lstrlenW (lpString=".7z") returned 3 [0079.705] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.705] lstrlenW (lpString=".dbf") returned 4 [0079.705] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.705] lstrlenW (lpString=".1cd") returned 4 [0079.705] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0079.705] lstrlenW (lpString=".jpg") returned 4 [0079.705] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.705] lstrcmpiW (lpString1=".XSL", lpString2=".mnbzr") returned 1 [0079.705] lstrlenW (lpString="BASMLA.XSL") returned 10 [0079.705] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0079.706] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=227311) returned 1 [0079.706] CloseHandle (hObject=0x20c) returned 1 [0079.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0079.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0079.706] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.706] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0079.707] GetLastError () returned 0x0 [0079.707] ReadFile (in: hFile=0x20c, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0079.790] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0079.796] ReadFile (in: hFile=0x20c, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0079.796] WriteFile (in: hFile=0x1b8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0079.796] SetEndOfFile (hFile=0x1b8) returned 1 [0079.797] CloseHandle (hObject=0x1b8) returned 1 [0079.800] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.800] SetEndOfFile (hFile=0x20c) returned 1 [0079.803] CloseHandle (hObject=0x20c) returned 1 [0079.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.803] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0079.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.804] lstrlenW (lpString=".doc") returned 4 [0079.804] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString=".docx") returned 5 [0079.804] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0079.804] lstrlenW (lpString=".pdf") returned 4 [0079.804] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString=".xls") returned 4 [0079.804] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString=".xlsx") returned 5 [0079.804] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0079.804] lstrlenW (lpString=".ppt") returned 4 [0079.804] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.804] lstrlenW (lpString=".zip") returned 4 [0079.804] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0079.804] lstrlenW (lpString=".rar") returned 4 [0079.804] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString=".bz2") returned 4 [0079.804] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0079.804] lstrlenW (lpString=".7z") returned 3 [0079.805] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.805] lstrlenW (lpString=".dbf") returned 4 [0079.805] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.805] lstrlenW (lpString=".1cd") returned 4 [0079.805] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.805] lstrlenW (lpString=".jpg") returned 4 [0079.805] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.805] lstrlenW (lpString=".doc") returned 4 [0079.805] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString=".docx") returned 5 [0079.805] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0079.805] lstrlenW (lpString=".pdf") returned 4 [0079.805] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString=".xls") returned 4 [0079.805] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString=".xlsx") returned 5 [0079.805] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0079.805] lstrlenW (lpString=".ppt") returned 4 [0079.805] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0079.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.806] lstrlenW (lpString=".zip") returned 4 [0079.806] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0079.806] lstrlenW (lpString=".rar") returned 4 [0079.806] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0079.806] lstrlenW (lpString=".bz2") returned 4 [0079.806] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0079.806] lstrlenW (lpString=".7z") returned 3 [0079.806] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0079.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.806] lstrlenW (lpString=".dbf") returned 4 [0079.806] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0079.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.806] lstrlenW (lpString=".1cd") returned 4 [0079.806] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0079.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0079.806] lstrlenW (lpString=".jpg") returned 4 [0079.806] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0079.991] lstrcmpiW (lpString1=".htm", lpString2=".mnbzr") returned -1 [0079.991] lstrlenW (lpString="Bears.htm") returned 9 [0079.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0082.539] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=255) returned 1 [0082.539] CloseHandle (hObject=0x204) returned 1 [0082.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0082.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.540] lstrlenW (lpString=".doc") returned 4 [0082.540] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0082.540] lstrlenW (lpString=".docx") returned 5 [0082.540] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0082.540] lstrlenW (lpString=".pdf") returned 4 [0082.540] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0082.540] lstrlenW (lpString=".xls") returned 4 [0082.540] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0082.540] lstrlenW (lpString=".xlsx") returned 5 [0082.540] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0082.540] lstrlenW (lpString=".ppt") returned 4 [0082.540] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0082.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.540] lstrlenW (lpString=".zip") returned 4 [0082.540] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0082.540] lstrlenW (lpString=".rar") returned 4 [0082.540] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0082.540] lstrlenW (lpString=".bz2") returned 4 [0082.540] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0082.540] lstrlenW (lpString=".7z") returned 3 [0082.540] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0082.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.540] lstrlenW (lpString=".dbf") returned 4 [0082.540] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0082.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.541] lstrlenW (lpString=".1cd") returned 4 [0082.541] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0082.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.541] lstrlenW (lpString=".jpg") returned 4 [0082.541] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.541] lstrlenW (lpString=".doc") returned 4 [0082.541] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0082.541] lstrlenW (lpString=".docx") returned 5 [0082.541] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0082.541] lstrlenW (lpString=".pdf") returned 4 [0082.541] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString=".xls") returned 4 [0082.541] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString=".xlsx") returned 5 [0082.541] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0082.541] lstrlenW (lpString=".ppt") returned 4 [0082.541] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.541] lstrlenW (lpString=".zip") returned 4 [0082.541] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString=".rar") returned 4 [0082.541] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0082.541] lstrlenW (lpString=".bz2") returned 4 [0082.541] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0082.542] lstrlenW (lpString=".7z") returned 3 [0082.542] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0082.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.542] lstrlenW (lpString=".dbf") returned 4 [0082.542] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0082.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.542] lstrlenW (lpString=".1cd") returned 4 [0082.542] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0082.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0082.542] lstrlenW (lpString=".jpg") returned 4 [0082.542] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0082.542] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0082.542] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0082.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.892] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=19780) returned 1 [0082.892] CloseHandle (hObject=0x1ec) returned 1 [0082.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0082.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.892] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.892] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0082.893] GetLastError () returned 0x0 [0082.893] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x4d44, lpOverlapped=0x0) returned 1 [0082.895] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0082.897] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0082.897] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0082.897] SetEndOfFile (hFile=0x1e8) returned 1 [0082.898] CloseHandle (hObject=0x1e8) returned 1 [0082.898] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.898] SetEndOfFile (hFile=0x1ec) returned 1 [0082.899] CloseHandle (hObject=0x1ec) returned 1 [0082.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0082.900] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0082.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.900] lstrlenW (lpString=".doc") returned 4 [0082.900] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0082.900] lstrlenW (lpString=".docx") returned 5 [0082.900] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0082.900] lstrlenW (lpString=".pdf") returned 4 [0082.900] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0082.900] lstrlenW (lpString=".xls") returned 4 [0082.900] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0082.900] lstrlenW (lpString=".xlsx") returned 5 [0082.900] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0082.900] lstrlenW (lpString=".ppt") returned 4 [0082.900] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString=".zip") returned 4 [0082.901] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0082.901] lstrlenW (lpString=".rar") returned 4 [0082.901] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0082.901] lstrlenW (lpString=".bz2") returned 4 [0082.901] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0082.901] lstrlenW (lpString=".7z") returned 3 [0082.901] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString=".dbf") returned 4 [0082.901] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString=".1cd") returned 4 [0082.901] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString=".jpg") returned 4 [0082.901] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.901] lstrlenW (lpString=".doc") returned 4 [0082.901] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0082.901] lstrlenW (lpString=".docx") returned 5 [0082.901] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0082.901] lstrlenW (lpString=".pdf") returned 4 [0082.901] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0082.902] lstrlenW (lpString=".xls") returned 4 [0082.902] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0082.902] lstrlenW (lpString=".xlsx") returned 5 [0082.902] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0082.902] lstrlenW (lpString=".ppt") returned 4 [0082.902] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0082.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.902] lstrlenW (lpString=".zip") returned 4 [0082.902] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0082.902] lstrlenW (lpString=".rar") returned 4 [0082.902] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0082.902] lstrlenW (lpString=".bz2") returned 4 [0082.902] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0082.902] lstrlenW (lpString=".7z") returned 3 [0082.902] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0082.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.902] lstrlenW (lpString=".dbf") returned 4 [0082.902] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0082.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.902] lstrlenW (lpString=".1cd") returned 4 [0082.902] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0082.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0082.902] lstrlenW (lpString=".jpg") returned 4 [0082.902] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0082.903] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0082.903] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0082.903] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.903] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2848) returned 1 [0082.903] CloseHandle (hObject=0x1ec) returned 1 [0082.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0082.903] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.904] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.904] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0082.907] GetLastError () returned 0x0 [0082.907] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xb20, lpOverlapped=0x0) returned 1 [0082.908] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xb30, lpOverlapped=0x0) returned 1 [0082.910] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0082.910] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0082.910] SetEndOfFile (hFile=0x1e8) returned 1 [0082.910] CloseHandle (hObject=0x1e8) returned 1 [0082.910] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.910] SetEndOfFile (hFile=0x1ec) returned 1 [0082.911] CloseHandle (hObject=0x1ec) returned 1 [0082.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0082.912] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0082.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.912] lstrlenW (lpString=".doc") returned 4 [0082.912] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0082.912] lstrlenW (lpString=".docx") returned 5 [0082.912] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0082.912] lstrlenW (lpString=".pdf") returned 4 [0082.913] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString=".xls") returned 4 [0082.913] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString=".xlsx") returned 5 [0082.913] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0082.913] lstrlenW (lpString=".ppt") returned 4 [0082.913] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.913] lstrlenW (lpString=".zip") returned 4 [0082.913] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString=".rar") returned 4 [0082.913] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString=".bz2") returned 4 [0082.913] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0082.913] lstrlenW (lpString=".7z") returned 3 [0082.913] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0082.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.913] lstrlenW (lpString=".dbf") returned 4 [0082.913] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0082.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.913] lstrlenW (lpString=".1cd") returned 4 [0082.913] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0082.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.913] lstrlenW (lpString=".jpg") returned 4 [0082.913] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0082.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.914] lstrlenW (lpString=".doc") returned 4 [0082.914] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0082.914] lstrlenW (lpString=".docx") returned 5 [0082.914] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0082.914] lstrlenW (lpString=".pdf") returned 4 [0082.914] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0082.914] lstrlenW (lpString=".xls") returned 4 [0082.914] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0082.914] lstrlenW (lpString=".xlsx") returned 5 [0082.914] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0082.914] lstrlenW (lpString=".ppt") returned 4 [0082.914] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0082.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.914] lstrlenW (lpString=".zip") returned 4 [0082.914] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0082.914] lstrlenW (lpString=".rar") returned 4 [0082.914] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0082.914] lstrlenW (lpString=".bz2") returned 4 [0082.914] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0082.914] lstrlenW (lpString=".7z") returned 3 [0082.914] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0082.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.914] lstrlenW (lpString=".dbf") returned 4 [0082.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0082.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.914] lstrlenW (lpString=".1cd") returned 4 [0082.915] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0082.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0082.915] lstrlenW (lpString=".jpg") returned 4 [0082.915] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0082.915] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0082.915] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0082.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.917] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=34916) returned 1 [0082.917] CloseHandle (hObject=0x1ec) returned 1 [0082.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0082.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0082.917] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.917] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.918] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0082.918] GetLastError () returned 0x0 [0082.918] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x8864, lpOverlapped=0x0) returned 1 [0082.921] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0082.923] ReadFile (in: hFile=0x1ec, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0082.923] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0082.923] SetEndOfFile (hFile=0x1e8) returned 1 [0082.924] CloseHandle (hObject=0x1e8) returned 1 [0082.924] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.924] SetEndOfFile (hFile=0x1ec) returned 1 [0082.925] CloseHandle (hObject=0x1ec) returned 1 [0082.925] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0082.926] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0082.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.926] lstrlenW (lpString=".doc") returned 4 [0082.926] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0082.926] lstrlenW (lpString=".docx") returned 5 [0082.926] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0082.926] lstrlenW (lpString=".pdf") returned 4 [0082.926] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0082.926] lstrlenW (lpString=".xls") returned 4 [0082.926] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0082.926] lstrlenW (lpString=".xlsx") returned 5 [0082.926] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0082.926] lstrlenW (lpString=".ppt") returned 4 [0082.926] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0082.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.926] lstrlenW (lpString=".zip") returned 4 [0082.926] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0082.926] lstrlenW (lpString=".rar") returned 4 [0082.927] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0082.927] lstrlenW (lpString=".bz2") returned 4 [0082.927] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString=".7z") returned 3 [0082.927] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0082.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.927] lstrlenW (lpString=".dbf") returned 4 [0082.927] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.927] lstrlenW (lpString=".1cd") returned 4 [0082.927] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.927] lstrlenW (lpString=".jpg") returned 4 [0082.927] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.927] lstrlenW (lpString=".doc") returned 4 [0082.927] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString=".docx") returned 5 [0082.927] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0082.927] lstrlenW (lpString=".pdf") returned 4 [0082.927] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0082.927] lstrlenW (lpString=".xls") returned 4 [0082.927] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0082.927] lstrlenW (lpString=".xlsx") returned 5 [0082.928] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0082.928] lstrlenW (lpString=".ppt") returned 4 [0082.928] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0082.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.928] lstrlenW (lpString=".zip") returned 4 [0082.928] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0082.928] lstrlenW (lpString=".rar") returned 4 [0082.928] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0082.928] lstrlenW (lpString=".bz2") returned 4 [0082.928] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0082.928] lstrlenW (lpString=".7z") returned 3 [0082.928] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0082.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.928] lstrlenW (lpString=".dbf") returned 4 [0082.928] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0082.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.928] lstrlenW (lpString=".1cd") returned 4 [0082.928] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0082.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0082.928] lstrlenW (lpString=".jpg") returned 4 [0082.928] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0082.928] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0082.928] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0082.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.729] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2181) returned 1 [0083.729] CloseHandle (hObject=0x1d8) returned 1 [0083.729] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0083.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.730] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.730] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0083.730] GetLastError () returned 0x0 [0083.730] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x885, lpOverlapped=0x0) returned 1 [0083.732] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x890, lpOverlapped=0x0) returned 1 [0083.733] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0083.733] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0083.734] SetEndOfFile (hFile=0x1ec) returned 1 [0083.734] CloseHandle (hObject=0x1ec) returned 1 [0083.734] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.734] SetEndOfFile (hFile=0x1d8) returned 1 [0083.735] CloseHandle (hObject=0x1d8) returned 1 [0083.735] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.736] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0083.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.736] lstrlenW (lpString=".doc") returned 4 [0083.736] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.736] lstrlenW (lpString=".docx") returned 5 [0083.736] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.736] lstrlenW (lpString=".pdf") returned 4 [0083.736] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.736] lstrlenW (lpString=".xls") returned 4 [0083.736] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.736] lstrlenW (lpString=".xlsx") returned 5 [0083.736] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.736] lstrlenW (lpString=".ppt") returned 4 [0083.736] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.736] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.736] lstrlenW (lpString=".zip") returned 4 [0083.736] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.736] lstrlenW (lpString=".rar") returned 4 [0083.736] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.737] lstrlenW (lpString=".bz2") returned 4 [0083.737] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.737] lstrlenW (lpString=".7z") returned 3 [0083.737] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.737] lstrlenW (lpString=".dbf") returned 4 [0083.737] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.737] lstrlenW (lpString=".1cd") returned 4 [0083.737] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.737] lstrlenW (lpString=".jpg") returned 4 [0083.737] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.737] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.737] lstrlenW (lpString=".doc") returned 4 [0083.737] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.737] lstrlenW (lpString=".docx") returned 5 [0083.737] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.737] lstrlenW (lpString=".pdf") returned 4 [0083.737] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.737] lstrlenW (lpString=".xls") returned 4 [0083.737] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.737] lstrlenW (lpString=".xlsx") returned 5 [0083.737] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.738] lstrlenW (lpString=".ppt") returned 4 [0083.738] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.738] lstrlenW (lpString=".zip") returned 4 [0083.738] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.738] lstrlenW (lpString=".rar") returned 4 [0083.738] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.738] lstrlenW (lpString=".bz2") returned 4 [0083.738] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.738] lstrlenW (lpString=".7z") returned 3 [0083.738] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.738] lstrlenW (lpString=".dbf") returned 4 [0083.738] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.738] lstrlenW (lpString=".1cd") returned 4 [0083.738] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0083.738] lstrlenW (lpString=".jpg") returned 4 [0083.738] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.738] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0083.738] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0083.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.739] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1560) returned 1 [0083.739] CloseHandle (hObject=0x1d8) returned 1 [0083.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0083.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.739] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.739] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.739] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0083.742] GetLastError () returned 0x0 [0083.742] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x618, lpOverlapped=0x0) returned 1 [0083.743] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x620, lpOverlapped=0x0) returned 1 [0083.746] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0083.746] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0083.747] SetEndOfFile (hFile=0x1ec) returned 1 [0083.747] CloseHandle (hObject=0x1ec) returned 1 [0083.747] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.747] SetEndOfFile (hFile=0x1d8) returned 1 [0083.748] CloseHandle (hObject=0x1d8) returned 1 [0083.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.748] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0083.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.748] lstrlenW (lpString=".doc") returned 4 [0083.748] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.748] lstrlenW (lpString=".docx") returned 5 [0083.748] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.748] lstrlenW (lpString=".pdf") returned 4 [0083.749] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString=".xls") returned 4 [0083.749] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString=".xlsx") returned 5 [0083.749] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.749] lstrlenW (lpString=".ppt") returned 4 [0083.749] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString=".zip") returned 4 [0083.749] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString=".rar") returned 4 [0083.749] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString=".bz2") returned 4 [0083.749] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.749] lstrlenW (lpString=".7z") returned 3 [0083.749] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString=".dbf") returned 4 [0083.749] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString=".1cd") returned 4 [0083.749] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString=".jpg") returned 4 [0083.749] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.749] lstrlenW (lpString=".doc") returned 4 [0083.749] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0083.749] lstrlenW (lpString=".docx") returned 5 [0083.749] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0083.750] lstrlenW (lpString=".pdf") returned 4 [0083.750] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0083.750] lstrlenW (lpString=".xls") returned 4 [0083.750] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0083.750] lstrlenW (lpString=".xlsx") returned 5 [0083.750] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0083.750] lstrlenW (lpString=".ppt") returned 4 [0083.750] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0083.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.750] lstrlenW (lpString=".zip") returned 4 [0083.750] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0083.750] lstrlenW (lpString=".rar") returned 4 [0083.750] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0083.750] lstrlenW (lpString=".bz2") returned 4 [0083.750] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0083.750] lstrlenW (lpString=".7z") returned 3 [0083.750] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0083.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.750] lstrlenW (lpString=".dbf") returned 4 [0083.750] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0083.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.750] lstrlenW (lpString=".1cd") returned 4 [0083.750] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0083.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0083.750] lstrlenW (lpString=".jpg") returned 4 [0083.750] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0083.750] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0083.750] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0083.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.751] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=33009) returned 1 [0083.751] CloseHandle (hObject=0x1d8) returned 1 [0083.751] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0083.751] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.751] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.751] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0083.752] GetLastError () returned 0x0 [0083.752] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0083.754] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0083.756] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0083.756] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0083.756] SetEndOfFile (hFile=0x1ec) returned 1 [0083.756] CloseHandle (hObject=0x1ec) returned 1 [0083.756] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.756] SetEndOfFile (hFile=0x1d8) returned 1 [0083.757] CloseHandle (hObject=0x1d8) returned 1 [0083.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.758] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0083.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.758] lstrlenW (lpString=".doc") returned 4 [0083.758] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.758] lstrlenW (lpString=".docx") returned 5 [0083.758] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.758] lstrlenW (lpString=".pdf") returned 4 [0083.758] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.758] lstrlenW (lpString=".xls") returned 4 [0083.758] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.758] lstrlenW (lpString=".xlsx") returned 5 [0083.758] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.758] lstrlenW (lpString=".ppt") returned 4 [0083.758] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.758] lstrlenW (lpString=".zip") returned 4 [0083.758] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.758] lstrlenW (lpString=".rar") returned 4 [0083.758] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.758] lstrlenW (lpString=".bz2") returned 4 [0083.758] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.758] lstrlenW (lpString=".7z") returned 3 [0083.758] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".dbf") returned 4 [0083.759] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".1cd") returned 4 [0083.759] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".jpg") returned 4 [0083.759] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".doc") returned 4 [0083.759] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString=".docx") returned 5 [0083.759] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.759] lstrlenW (lpString=".pdf") returned 4 [0083.759] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString=".xls") returned 4 [0083.759] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.759] lstrlenW (lpString=".xlsx") returned 5 [0083.759] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.759] lstrlenW (lpString=".ppt") returned 4 [0083.759] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".zip") returned 4 [0083.759] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.759] lstrlenW (lpString=".rar") returned 4 [0083.759] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.759] lstrlenW (lpString=".bz2") returned 4 [0083.759] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString=".7z") returned 3 [0083.759] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.759] lstrlenW (lpString=".dbf") returned 4 [0083.759] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.760] lstrlenW (lpString=".1cd") returned 4 [0083.760] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0083.760] lstrlenW (lpString=".jpg") returned 4 [0083.760] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.760] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0083.760] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0083.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.760] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1925) returned 1 [0083.760] CloseHandle (hObject=0x1d8) returned 1 [0083.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0083.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0083.761] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.761] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.761] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0083.764] GetLastError () returned 0x0 [0083.764] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x785, lpOverlapped=0x0) returned 1 [0083.883] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x790, lpOverlapped=0x0) returned 1 [0084.081] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.081] WriteFile (in: hFile=0x1ec, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.082] SetEndOfFile (hFile=0x1ec) returned 1 [0084.082] CloseHandle (hObject=0x1ec) returned 1 [0084.082] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.082] SetEndOfFile (hFile=0x1d8) returned 1 [0084.083] CloseHandle (hObject=0x1d8) returned 1 [0084.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.083] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0084.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.084] lstrlenW (lpString=".doc") returned 4 [0084.084] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.084] lstrlenW (lpString=".docx") returned 5 [0084.084] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.084] lstrlenW (lpString=".pdf") returned 4 [0084.084] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.084] lstrlenW (lpString=".xls") returned 4 [0084.084] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.084] lstrlenW (lpString=".xlsx") returned 5 [0084.084] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.084] lstrlenW (lpString=".ppt") returned 4 [0084.084] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.084] lstrlenW (lpString=".zip") returned 4 [0084.084] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.084] lstrlenW (lpString=".rar") returned 4 [0084.084] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.084] lstrlenW (lpString=".bz2") returned 4 [0084.085] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.085] lstrlenW (lpString=".7z") returned 3 [0084.085] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.085] lstrlenW (lpString=".dbf") returned 4 [0084.085] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.085] lstrlenW (lpString=".1cd") returned 4 [0084.085] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.085] lstrlenW (lpString=".jpg") returned 4 [0084.085] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.085] lstrlenW (lpString=".doc") returned 4 [0084.085] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.085] lstrlenW (lpString=".docx") returned 5 [0084.085] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.085] lstrlenW (lpString=".pdf") returned 4 [0084.085] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.085] lstrlenW (lpString=".xls") returned 4 [0084.085] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.085] lstrlenW (lpString=".xlsx") returned 5 [0084.085] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.085] lstrlenW (lpString=".ppt") returned 4 [0084.085] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.086] lstrlenW (lpString=".zip") returned 4 [0084.086] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.086] lstrlenW (lpString=".rar") returned 4 [0084.086] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.086] lstrlenW (lpString=".bz2") returned 4 [0084.086] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.086] lstrlenW (lpString=".7z") returned 3 [0084.086] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.086] lstrlenW (lpString=".dbf") returned 4 [0084.086] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.086] lstrlenW (lpString=".1cd") returned 4 [0084.086] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0084.086] lstrlenW (lpString=".jpg") returned 4 [0084.086] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.086] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0084.086] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0084.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0084.087] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2722) returned 1 [0084.087] CloseHandle (hObject=0x1d8) returned 1 [0084.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0084.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0084.087] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0084.579] GetLastError () returned 0x0 [0084.579] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0084.589] WriteFile (in: hFile=0x1cc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0084.592] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.592] WriteFile (in: hFile=0x1cc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0084.592] SetEndOfFile (hFile=0x1cc) returned 1 [0084.600] CloseHandle (hObject=0x1cc) returned 1 [0084.600] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.600] SetEndOfFile (hFile=0x1d8) returned 1 [0084.605] CloseHandle (hObject=0x1d8) returned 1 [0084.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.609] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0084.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.609] lstrlenW (lpString=".doc") returned 4 [0084.609] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.609] lstrlenW (lpString=".docx") returned 5 [0084.609] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.609] lstrlenW (lpString=".pdf") returned 4 [0084.609] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString=".xls") returned 4 [0084.610] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString=".xlsx") returned 5 [0084.610] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.610] lstrlenW (lpString=".ppt") returned 4 [0084.610] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString=".zip") returned 4 [0084.610] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString=".rar") returned 4 [0084.610] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString=".bz2") returned 4 [0084.610] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.610] lstrlenW (lpString=".7z") returned 3 [0084.610] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString=".dbf") returned 4 [0084.610] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString=".1cd") returned 4 [0084.610] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString=".jpg") returned 4 [0084.610] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.610] lstrlenW (lpString=".doc") returned 4 [0084.611] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0084.611] lstrlenW (lpString=".docx") returned 5 [0084.611] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0084.611] lstrlenW (lpString=".pdf") returned 4 [0084.611] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0084.611] lstrlenW (lpString=".xls") returned 4 [0084.611] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0084.611] lstrlenW (lpString=".xlsx") returned 5 [0084.611] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0084.611] lstrlenW (lpString=".ppt") returned 4 [0084.611] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0084.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.611] lstrlenW (lpString=".zip") returned 4 [0084.612] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0084.612] lstrlenW (lpString=".rar") returned 4 [0084.612] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0084.612] lstrlenW (lpString=".bz2") returned 4 [0084.612] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0084.612] lstrlenW (lpString=".7z") returned 3 [0084.612] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0084.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.612] lstrlenW (lpString=".dbf") returned 4 [0084.612] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0084.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.612] lstrlenW (lpString=".1cd") returned 4 [0084.612] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0084.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0084.612] lstrlenW (lpString=".jpg") returned 4 [0084.612] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0084.612] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0084.612] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0084.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0084.616] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1293) returned 1 [0084.616] CloseHandle (hObject=0x1d8) returned 1 [0084.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0084.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0084.618] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.618] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0084.645] GetLastError () returned 0x0 [0084.645] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x50d, lpOverlapped=0x0) returned 1 [0085.161] WriteFile (in: hFile=0x1cc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x510, lpOverlapped=0x0) returned 1 [0085.163] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.163] WriteFile (in: hFile=0x1cc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.163] SetEndOfFile (hFile=0x1cc) returned 1 [0085.163] CloseHandle (hObject=0x1cc) returned 1 [0085.163] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.163] SetEndOfFile (hFile=0x1d8) returned 1 [0085.164] CloseHandle (hObject=0x1d8) returned 1 [0085.164] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.165] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0085.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.165] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.165] lstrlenW (lpString=".doc") returned 4 [0085.165] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.165] lstrlenW (lpString=".docx") returned 5 [0085.165] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.165] lstrlenW (lpString=".pdf") returned 4 [0085.165] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.165] lstrlenW (lpString=".xls") returned 4 [0085.165] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.165] lstrlenW (lpString=".xlsx") returned 5 [0085.166] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.166] lstrlenW (lpString=".ppt") returned 4 [0085.166] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.166] lstrlenW (lpString=".zip") returned 4 [0085.166] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.166] lstrlenW (lpString=".rar") returned 4 [0085.166] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.166] lstrlenW (lpString=".bz2") returned 4 [0085.166] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.166] lstrlenW (lpString=".7z") returned 3 [0085.166] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.166] lstrlenW (lpString=".dbf") returned 4 [0085.166] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.166] lstrlenW (lpString=".1cd") returned 4 [0085.166] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.166] lstrlenW (lpString=".jpg") returned 4 [0085.166] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.167] lstrlenW (lpString=".doc") returned 4 [0085.167] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.167] lstrlenW (lpString=".docx") returned 5 [0085.167] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.167] lstrlenW (lpString=".pdf") returned 4 [0085.167] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.167] lstrlenW (lpString=".xls") returned 4 [0085.167] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.167] lstrlenW (lpString=".xlsx") returned 5 [0085.167] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.167] lstrlenW (lpString=".ppt") returned 4 [0085.167] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.167] lstrlenW (lpString=".zip") returned 4 [0085.167] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.167] lstrlenW (lpString=".rar") returned 4 [0085.167] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.168] lstrlenW (lpString=".bz2") returned 4 [0085.168] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.168] lstrlenW (lpString=".7z") returned 3 [0085.168] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.168] lstrlenW (lpString=".dbf") returned 4 [0085.168] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.168] lstrlenW (lpString=".1cd") returned 4 [0085.168] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0085.168] lstrlenW (lpString=".jpg") returned 4 [0085.168] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.168] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.168] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.169] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1287) returned 1 [0085.169] CloseHandle (hObject=0x1d8) returned 1 [0085.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0085.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.179] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.179] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.180] GetLastError () returned 0x0 [0085.180] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x507, lpOverlapped=0x0) returned 1 [0085.182] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x510, lpOverlapped=0x0) returned 1 [0085.185] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.185] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.185] SetEndOfFile (hFile=0x1d8) returned 1 [0085.185] CloseHandle (hObject=0x1d8) returned 1 [0085.185] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.185] SetEndOfFile (hFile=0x1b0) returned 1 [0085.186] CloseHandle (hObject=0x1b0) returned 1 [0085.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0085.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.187] lstrlenW (lpString=".doc") returned 4 [0085.187] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.187] lstrlenW (lpString=".docx") returned 5 [0085.187] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.187] lstrlenW (lpString=".pdf") returned 4 [0085.187] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.187] lstrlenW (lpString=".xls") returned 4 [0085.187] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.187] lstrlenW (lpString=".xlsx") returned 5 [0085.187] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.187] lstrlenW (lpString=".ppt") returned 4 [0085.187] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.187] lstrlenW (lpString=".zip") returned 4 [0085.187] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.187] lstrlenW (lpString=".rar") returned 4 [0085.187] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.187] lstrlenW (lpString=".bz2") returned 4 [0085.187] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.187] lstrlenW (lpString=".7z") returned 3 [0085.188] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString=".dbf") returned 4 [0085.188] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString=".1cd") returned 4 [0085.188] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString=".jpg") returned 4 [0085.188] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString=".doc") returned 4 [0085.188] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.188] lstrlenW (lpString=".docx") returned 5 [0085.188] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.188] lstrlenW (lpString=".pdf") returned 4 [0085.188] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString=".xls") returned 4 [0085.188] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString=".xlsx") returned 5 [0085.188] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.188] lstrlenW (lpString=".ppt") returned 4 [0085.188] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.188] lstrlenW (lpString=".zip") returned 4 [0085.188] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString=".rar") returned 4 [0085.188] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.188] lstrlenW (lpString=".bz2") returned 4 [0085.189] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.189] lstrlenW (lpString=".7z") returned 3 [0085.189] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.189] lstrlenW (lpString=".dbf") returned 4 [0085.189] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.189] lstrlenW (lpString=".1cd") returned 4 [0085.189] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0085.189] lstrlenW (lpString=".jpg") returned 4 [0085.189] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.189] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.189] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.190] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3957) returned 1 [0085.190] CloseHandle (hObject=0x1b0) returned 1 [0085.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0085.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.190] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.190] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.192] GetLastError () returned 0x0 [0085.192] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xf75, lpOverlapped=0x0) returned 1 [0085.194] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0085.195] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.195] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.195] SetEndOfFile (hFile=0x1d8) returned 1 [0085.195] CloseHandle (hObject=0x1d8) returned 1 [0085.196] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.196] SetEndOfFile (hFile=0x1b0) returned 1 [0085.197] CloseHandle (hObject=0x1b0) returned 1 [0085.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.197] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0085.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.197] lstrlenW (lpString=".doc") returned 4 [0085.197] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.197] lstrlenW (lpString=".docx") returned 5 [0085.197] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.198] lstrlenW (lpString=".pdf") returned 4 [0085.198] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.198] lstrlenW (lpString=".xls") returned 4 [0085.198] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.198] lstrlenW (lpString=".xlsx") returned 5 [0085.198] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.198] lstrlenW (lpString=".ppt") returned 4 [0085.198] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.198] lstrlenW (lpString=".zip") returned 4 [0085.198] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.198] lstrlenW (lpString=".rar") returned 4 [0085.198] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.198] lstrlenW (lpString=".bz2") returned 4 [0085.198] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.198] lstrlenW (lpString=".7z") returned 3 [0085.198] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.198] lstrlenW (lpString=".dbf") returned 4 [0085.198] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.198] lstrlenW (lpString=".1cd") returned 4 [0085.198] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.198] lstrlenW (lpString=".jpg") returned 4 [0085.198] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.199] lstrlenW (lpString=".doc") returned 4 [0085.199] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.199] lstrlenW (lpString=".docx") returned 5 [0085.199] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.199] lstrlenW (lpString=".pdf") returned 4 [0085.199] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.199] lstrlenW (lpString=".xls") returned 4 [0085.199] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.199] lstrlenW (lpString=".xlsx") returned 5 [0085.199] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.199] lstrlenW (lpString=".ppt") returned 4 [0085.199] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.199] lstrlenW (lpString=".zip") returned 4 [0085.199] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.200] lstrlenW (lpString=".rar") returned 4 [0085.200] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.200] lstrlenW (lpString=".bz2") returned 4 [0085.200] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.200] lstrlenW (lpString=".7z") returned 3 [0085.200] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.200] lstrlenW (lpString=".dbf") returned 4 [0085.200] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.200] lstrlenW (lpString=".1cd") returned 4 [0085.200] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.200] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0085.200] lstrlenW (lpString=".jpg") returned 4 [0085.200] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.200] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.200] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.205] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=33277) returned 1 [0085.205] CloseHandle (hObject=0x1b0) returned 1 [0085.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0085.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.205] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.205] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.206] GetLastError () returned 0x0 [0085.206] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x81fd, lpOverlapped=0x0) returned 1 [0085.211] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x8200, lpOverlapped=0x0) returned 1 [0085.213] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.213] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.213] SetEndOfFile (hFile=0x1d8) returned 1 [0085.214] CloseHandle (hObject=0x1d8) returned 1 [0085.214] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.214] SetEndOfFile (hFile=0x1b0) returned 1 [0085.215] CloseHandle (hObject=0x1b0) returned 1 [0085.215] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.216] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0085.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.216] lstrlenW (lpString=".doc") returned 4 [0085.216] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.216] lstrlenW (lpString=".docx") returned 5 [0085.216] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.216] lstrlenW (lpString=".pdf") returned 4 [0085.216] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.216] lstrlenW (lpString=".xls") returned 4 [0085.216] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.216] lstrlenW (lpString=".xlsx") returned 5 [0085.216] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.216] lstrlenW (lpString=".ppt") returned 4 [0085.217] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString=".zip") returned 4 [0085.217] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.217] lstrlenW (lpString=".rar") returned 4 [0085.217] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.217] lstrlenW (lpString=".bz2") returned 4 [0085.217] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.217] lstrlenW (lpString=".7z") returned 3 [0085.217] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString=".dbf") returned 4 [0085.217] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString=".1cd") returned 4 [0085.217] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString=".jpg") returned 4 [0085.217] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.217] lstrlenW (lpString=".doc") returned 4 [0085.217] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.217] lstrlenW (lpString=".docx") returned 5 [0085.217] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.217] lstrlenW (lpString=".pdf") returned 4 [0085.217] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.218] lstrlenW (lpString=".xls") returned 4 [0085.218] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.218] lstrlenW (lpString=".xlsx") returned 5 [0085.218] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.218] lstrlenW (lpString=".ppt") returned 4 [0085.218] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.218] lstrlenW (lpString=".zip") returned 4 [0085.218] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.218] lstrlenW (lpString=".rar") returned 4 [0085.218] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.218] lstrlenW (lpString=".bz2") returned 4 [0085.218] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.218] lstrlenW (lpString=".7z") returned 3 [0085.218] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.218] lstrlenW (lpString=".dbf") returned 4 [0085.218] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.218] lstrlenW (lpString=".1cd") returned 4 [0085.218] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0085.218] lstrlenW (lpString=".jpg") returned 4 [0085.218] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.219] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.219] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.219] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1453) returned 1 [0085.219] CloseHandle (hObject=0x1b0) returned 1 [0085.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0085.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.220] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.220] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0085.482] GetLastError () returned 0x0 [0085.482] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x5ad, lpOverlapped=0x0) returned 1 [0085.502] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0085.504] ReadFile (in: hFile=0x1b0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.504] WriteFile (in: hFile=0x1e4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.504] SetEndOfFile (hFile=0x1e4) returned 1 [0085.504] CloseHandle (hObject=0x1e4) returned 1 [0085.504] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.505] SetEndOfFile (hFile=0x1b0) returned 1 [0085.505] CloseHandle (hObject=0x1b0) returned 1 [0085.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.506] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0085.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.506] lstrlenW (lpString=".doc") returned 4 [0085.506] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.506] lstrlenW (lpString=".docx") returned 5 [0085.506] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.506] lstrlenW (lpString=".pdf") returned 4 [0085.506] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString=".xls") returned 4 [0085.507] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString=".xlsx") returned 5 [0085.507] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.507] lstrlenW (lpString=".ppt") returned 4 [0085.507] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.507] lstrlenW (lpString=".zip") returned 4 [0085.507] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString=".rar") returned 4 [0085.507] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString=".bz2") returned 4 [0085.507] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.507] lstrlenW (lpString=".7z") returned 3 [0085.507] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.507] lstrlenW (lpString=".dbf") returned 4 [0085.507] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.507] lstrlenW (lpString=".1cd") returned 4 [0085.507] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.507] lstrlenW (lpString=".jpg") returned 4 [0085.507] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.508] lstrlenW (lpString=".doc") returned 4 [0085.508] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.508] lstrlenW (lpString=".docx") returned 5 [0085.508] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.508] lstrlenW (lpString=".pdf") returned 4 [0085.508] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.508] lstrlenW (lpString=".xls") returned 4 [0085.508] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.508] lstrlenW (lpString=".xlsx") returned 5 [0085.508] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.508] lstrlenW (lpString=".ppt") returned 4 [0085.508] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.508] lstrlenW (lpString=".zip") returned 4 [0085.508] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.508] lstrlenW (lpString=".rar") returned 4 [0085.508] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.508] lstrlenW (lpString=".bz2") returned 4 [0085.508] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.508] lstrlenW (lpString=".7z") returned 3 [0085.508] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.508] lstrlenW (lpString=".dbf") returned 4 [0085.508] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.508] lstrlenW (lpString=".1cd") returned 4 [0085.508] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0085.509] lstrlenW (lpString=".jpg") returned 4 [0085.509] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.509] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.509] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.509] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.607] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=32433) returned 1 [0085.607] CloseHandle (hObject=0x1d0) returned 1 [0085.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0085.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.607] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.607] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.607] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.607] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0085.608] GetLastError () returned 0x0 [0085.608] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0085.612] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0085.614] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.614] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.614] SetEndOfFile (hFile=0x1d4) returned 1 [0085.614] CloseHandle (hObject=0x1d4) returned 1 [0085.615] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.615] SetEndOfFile (hFile=0x1d0) returned 1 [0085.616] CloseHandle (hObject=0x1d0) returned 1 [0085.616] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.617] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0085.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.617] lstrlenW (lpString=".doc") returned 4 [0085.617] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.617] lstrlenW (lpString=".docx") returned 5 [0085.617] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.617] lstrlenW (lpString=".pdf") returned 4 [0085.617] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.617] lstrlenW (lpString=".xls") returned 4 [0085.617] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.617] lstrlenW (lpString=".xlsx") returned 5 [0085.617] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.617] lstrlenW (lpString=".ppt") returned 4 [0085.617] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.617] lstrlenW (lpString=".zip") returned 4 [0085.617] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.617] lstrlenW (lpString=".rar") returned 4 [0085.617] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.617] lstrlenW (lpString=".bz2") returned 4 [0085.618] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString=".7z") returned 3 [0085.618] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.618] lstrlenW (lpString=".dbf") returned 4 [0085.618] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.618] lstrlenW (lpString=".1cd") returned 4 [0085.618] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.618] lstrlenW (lpString=".jpg") returned 4 [0085.618] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.618] lstrlenW (lpString=".doc") returned 4 [0085.618] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString=".docx") returned 5 [0085.618] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.618] lstrlenW (lpString=".pdf") returned 4 [0085.618] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.618] lstrlenW (lpString=".xls") returned 4 [0085.618] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.618] lstrlenW (lpString=".xlsx") returned 5 [0085.618] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.618] lstrlenW (lpString=".ppt") returned 4 [0085.619] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.619] lstrlenW (lpString=".zip") returned 4 [0085.619] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.619] lstrlenW (lpString=".rar") returned 4 [0085.619] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.619] lstrlenW (lpString=".bz2") returned 4 [0085.619] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.619] lstrlenW (lpString=".7z") returned 3 [0085.619] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.619] lstrlenW (lpString=".dbf") returned 4 [0085.619] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.619] lstrlenW (lpString=".1cd") returned 4 [0085.619] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0085.619] lstrlenW (lpString=".jpg") returned 4 [0085.619] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.619] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.619] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.620] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=5179) returned 1 [0085.620] CloseHandle (hObject=0x1d0) returned 1 [0085.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0085.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.621] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.621] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0085.623] GetLastError () returned 0x0 [0085.623] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x143b, lpOverlapped=0x0) returned 1 [0085.626] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1440, lpOverlapped=0x0) returned 1 [0085.627] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.627] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.627] SetEndOfFile (hFile=0x20c) returned 1 [0085.627] CloseHandle (hObject=0x20c) returned 1 [0085.627] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.628] SetEndOfFile (hFile=0x1d0) returned 1 [0085.629] CloseHandle (hObject=0x1d0) returned 1 [0085.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.629] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0085.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.629] lstrlenW (lpString=".doc") returned 4 [0085.629] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.629] lstrlenW (lpString=".docx") returned 5 [0085.629] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.630] lstrlenW (lpString=".pdf") returned 4 [0085.630] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.630] lstrlenW (lpString=".xls") returned 4 [0085.630] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.630] lstrlenW (lpString=".xlsx") returned 5 [0085.630] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.630] lstrlenW (lpString=".ppt") returned 4 [0085.630] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.630] lstrlenW (lpString=".zip") returned 4 [0085.630] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.630] lstrlenW (lpString=".rar") returned 4 [0085.630] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.630] lstrlenW (lpString=".bz2") returned 4 [0085.630] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.630] lstrlenW (lpString=".7z") returned 3 [0085.630] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.630] lstrlenW (lpString=".dbf") returned 4 [0085.630] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.630] lstrlenW (lpString=".1cd") returned 4 [0085.630] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.630] lstrlenW (lpString=".jpg") returned 4 [0085.630] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.631] lstrlenW (lpString=".doc") returned 4 [0085.631] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.631] lstrlenW (lpString=".docx") returned 5 [0085.631] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.631] lstrlenW (lpString=".pdf") returned 4 [0085.631] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString=".xls") returned 4 [0085.631] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString=".xlsx") returned 5 [0085.631] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.631] lstrlenW (lpString=".ppt") returned 4 [0085.631] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.631] lstrlenW (lpString=".zip") returned 4 [0085.631] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString=".rar") returned 4 [0085.631] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.631] lstrlenW (lpString=".bz2") returned 4 [0085.631] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.631] lstrlenW (lpString=".7z") returned 3 [0085.631] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.631] lstrlenW (lpString=".dbf") returned 4 [0085.631] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.632] lstrlenW (lpString=".1cd") returned 4 [0085.632] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0085.632] lstrlenW (lpString=".jpg") returned 4 [0085.632] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.632] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.632] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.633] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=33559) returned 1 [0085.633] CloseHandle (hObject=0x1d0) returned 1 [0085.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0085.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0085.633] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.633] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.633] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0085.634] GetLastError () returned 0x0 [0085.634] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x8317, lpOverlapped=0x0) returned 1 [0085.765] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x8320, lpOverlapped=0x0) returned 1 [0085.767] ReadFile (in: hFile=0x1d0, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.767] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.767] SetEndOfFile (hFile=0x20c) returned 1 [0085.767] CloseHandle (hObject=0x20c) returned 1 [0085.767] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.767] SetEndOfFile (hFile=0x1d0) returned 1 [0085.769] CloseHandle (hObject=0x1d0) returned 1 [0085.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.769] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0085.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.770] lstrlenW (lpString=".doc") returned 4 [0085.770] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.770] lstrlenW (lpString=".docx") returned 5 [0085.770] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.770] lstrlenW (lpString=".pdf") returned 4 [0085.770] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.770] lstrlenW (lpString=".xls") returned 4 [0085.770] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.770] lstrlenW (lpString=".xlsx") returned 5 [0085.770] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.770] lstrlenW (lpString=".ppt") returned 4 [0085.770] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.770] lstrlenW (lpString=".zip") returned 4 [0085.770] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.770] lstrlenW (lpString=".rar") returned 4 [0085.770] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.770] lstrlenW (lpString=".bz2") returned 4 [0085.770] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.770] lstrlenW (lpString=".7z") returned 3 [0085.770] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.770] lstrlenW (lpString=".dbf") returned 4 [0085.770] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.770] lstrlenW (lpString=".1cd") returned 4 [0085.770] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.770] lstrlenW (lpString=".jpg") returned 4 [0085.770] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.771] lstrlenW (lpString=".doc") returned 4 [0085.771] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString=".docx") returned 5 [0085.771] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.771] lstrlenW (lpString=".pdf") returned 4 [0085.771] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString=".xls") returned 4 [0085.771] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.771] lstrlenW (lpString=".xlsx") returned 5 [0085.771] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.771] lstrlenW (lpString=".ppt") returned 4 [0085.771] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.771] lstrlenW (lpString=".zip") returned 4 [0085.771] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.771] lstrlenW (lpString=".rar") returned 4 [0085.771] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.771] lstrlenW (lpString=".bz2") returned 4 [0085.771] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString=".7z") returned 3 [0085.771] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.771] lstrlenW (lpString=".dbf") returned 4 [0085.771] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.771] lstrlenW (lpString=".1cd") returned 4 [0085.771] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0085.772] lstrlenW (lpString=".jpg") returned 4 [0085.772] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.772] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.772] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.884] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=18413) returned 1 [0085.884] CloseHandle (hObject=0x204) returned 1 [0085.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0085.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.895] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.895] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.895] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.903] GetLastError () returned 0x0 [0085.903] ReadFile (in: hFile=0x1f4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x47ed, lpOverlapped=0x0) returned 1 [0085.917] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0085.918] ReadFile (in: hFile=0x1f4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.918] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.918] SetEndOfFile (hFile=0x204) returned 1 [0085.918] CloseHandle (hObject=0x204) returned 1 [0085.919] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.919] SetEndOfFile (hFile=0x1f4) returned 1 [0085.919] CloseHandle (hObject=0x1f4) returned 1 [0085.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.920] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0085.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.920] lstrlenW (lpString=".doc") returned 4 [0085.920] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.920] lstrlenW (lpString=".docx") returned 5 [0085.920] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.920] lstrlenW (lpString=".pdf") returned 4 [0085.920] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.920] lstrlenW (lpString=".xls") returned 4 [0085.920] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.920] lstrlenW (lpString=".xlsx") returned 5 [0085.920] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.920] lstrlenW (lpString=".ppt") returned 4 [0085.920] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.920] lstrlenW (lpString=".zip") returned 4 [0085.920] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.920] lstrlenW (lpString=".rar") returned 4 [0085.921] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.921] lstrlenW (lpString=".bz2") returned 4 [0085.921] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString=".7z") returned 3 [0085.921] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString=".dbf") returned 4 [0085.921] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString=".1cd") returned 4 [0085.921] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString=".jpg") returned 4 [0085.921] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString=".doc") returned 4 [0085.921] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString=".docx") returned 5 [0085.921] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.921] lstrlenW (lpString=".pdf") returned 4 [0085.921] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.921] lstrlenW (lpString=".xls") returned 4 [0085.921] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.921] lstrlenW (lpString=".xlsx") returned 5 [0085.921] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.921] lstrlenW (lpString=".ppt") returned 4 [0085.921] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.921] lstrlenW (lpString=".zip") returned 4 [0085.921] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.921] lstrlenW (lpString=".rar") returned 4 [0085.921] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.922] lstrlenW (lpString=".bz2") returned 4 [0085.922] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.922] lstrlenW (lpString=".7z") returned 3 [0085.922] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.922] lstrlenW (lpString=".dbf") returned 4 [0085.922] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.922] lstrlenW (lpString=".1cd") returned 4 [0085.922] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0085.922] lstrlenW (lpString=".jpg") returned 4 [0085.922] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.922] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.922] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.925] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1593) returned 1 [0085.925] CloseHandle (hObject=0x1f4) returned 1 [0085.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0085.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.925] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.925] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0085.933] GetLastError () returned 0x0 [0085.933] ReadFile (in: hFile=0x1f4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x639, lpOverlapped=0x0) returned 1 [0085.938] WriteFile (in: hFile=0x200, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x640, lpOverlapped=0x0) returned 1 [0085.939] ReadFile (in: hFile=0x1f4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.939] WriteFile (in: hFile=0x200, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.940] SetEndOfFile (hFile=0x200) returned 1 [0085.940] CloseHandle (hObject=0x200) returned 1 [0085.940] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.940] SetEndOfFile (hFile=0x1f4) returned 1 [0085.941] CloseHandle (hObject=0x1f4) returned 1 [0085.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.941] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0085.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.942] lstrlenW (lpString=".doc") returned 4 [0085.942] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.942] lstrlenW (lpString=".docx") returned 5 [0085.942] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.942] lstrlenW (lpString=".pdf") returned 4 [0085.942] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.942] lstrlenW (lpString=".xls") returned 4 [0085.942] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.942] lstrlenW (lpString=".xlsx") returned 5 [0085.942] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.942] lstrlenW (lpString=".ppt") returned 4 [0085.942] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.942] lstrlenW (lpString=".zip") returned 4 [0085.942] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.942] lstrlenW (lpString=".rar") returned 4 [0085.942] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.942] lstrlenW (lpString=".bz2") returned 4 [0085.942] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.942] lstrlenW (lpString=".7z") returned 3 [0085.943] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString=".dbf") returned 4 [0085.943] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString=".1cd") returned 4 [0085.943] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString=".jpg") returned 4 [0085.943] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString=".doc") returned 4 [0085.943] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0085.943] lstrlenW (lpString=".docx") returned 5 [0085.943] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0085.943] lstrlenW (lpString=".pdf") returned 4 [0085.943] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0085.943] lstrlenW (lpString=".xls") returned 4 [0085.943] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0085.943] lstrlenW (lpString=".xlsx") returned 5 [0085.943] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0085.943] lstrlenW (lpString=".ppt") returned 4 [0085.943] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0085.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.943] lstrlenW (lpString=".zip") returned 4 [0085.943] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0085.943] lstrlenW (lpString=".rar") returned 4 [0085.944] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0085.944] lstrlenW (lpString=".bz2") returned 4 [0085.944] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0085.944] lstrlenW (lpString=".7z") returned 3 [0085.944] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0085.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.944] lstrlenW (lpString=".dbf") returned 4 [0085.944] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0085.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.944] lstrlenW (lpString=".1cd") returned 4 [0085.944] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0085.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0085.944] lstrlenW (lpString=".jpg") returned 4 [0085.944] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0085.944] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.944] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0085.947] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=21745) returned 1 [0085.947] CloseHandle (hObject=0x200) returned 1 [0085.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0085.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0085.948] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.948] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0085.948] GetLastError () returned 0x0 [0085.949] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x54f1, lpOverlapped=0x0) returned 1 [0085.951] WriteFile (in: hFile=0x1fc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x5500, lpOverlapped=0x0) returned 1 [0085.953] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.953] WriteFile (in: hFile=0x1fc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.953] SetEndOfFile (hFile=0x1fc) returned 1 [0085.953] CloseHandle (hObject=0x1fc) returned 1 [0085.953] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.954] SetEndOfFile (hFile=0x200) returned 1 [0085.955] CloseHandle (hObject=0x200) returned 1 [0085.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.955] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0085.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.955] lstrlenW (lpString=".doc") returned 4 [0085.955] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.955] lstrlenW (lpString=".docx") returned 5 [0085.955] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.955] lstrlenW (lpString=".pdf") returned 4 [0085.956] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.956] lstrlenW (lpString=".xls") returned 4 [0085.956] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.956] lstrlenW (lpString=".xlsx") returned 5 [0085.956] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.956] lstrlenW (lpString=".ppt") returned 4 [0085.956] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.956] lstrlenW (lpString=".zip") returned 4 [0085.956] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.956] lstrlenW (lpString=".rar") returned 4 [0085.956] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.956] lstrlenW (lpString=".bz2") returned 4 [0085.956] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.956] lstrlenW (lpString=".7z") returned 3 [0085.956] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.956] lstrlenW (lpString=".dbf") returned 4 [0085.956] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.956] lstrlenW (lpString=".1cd") returned 4 [0085.956] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.957] lstrlenW (lpString=".jpg") returned 4 [0085.957] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.957] lstrlenW (lpString=".doc") returned 4 [0085.957] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.957] lstrlenW (lpString=".docx") returned 5 [0085.957] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.957] lstrlenW (lpString=".pdf") returned 4 [0085.957] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.957] lstrlenW (lpString=".xls") returned 4 [0085.957] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.957] lstrlenW (lpString=".xlsx") returned 5 [0085.957] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.957] lstrlenW (lpString=".ppt") returned 4 [0085.957] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.957] lstrlenW (lpString=".zip") returned 4 [0085.957] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.957] lstrlenW (lpString=".rar") returned 4 [0085.957] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.957] lstrlenW (lpString=".bz2") returned 4 [0085.957] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.957] lstrlenW (lpString=".7z") returned 3 [0085.957] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.958] lstrlenW (lpString=".dbf") returned 4 [0085.958] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.958] lstrlenW (lpString=".1cd") returned 4 [0085.958] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0085.958] lstrlenW (lpString=".jpg") returned 4 [0085.958] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.958] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0085.958] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0085.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0085.959] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1339) returned 1 [0085.959] CloseHandle (hObject=0x200) returned 1 [0085.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0085.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0085.959] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.959] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0086.425] GetLastError () returned 0x0 [0086.425] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x53b, lpOverlapped=0x0) returned 1 [0086.587] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x540, lpOverlapped=0x0) returned 1 [0086.589] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.589] WriteFile (in: hFile=0x1d4, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.589] SetEndOfFile (hFile=0x1d4) returned 1 [0086.589] CloseHandle (hObject=0x1d4) returned 1 [0086.589] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.589] SetEndOfFile (hFile=0x200) returned 1 [0086.590] CloseHandle (hObject=0x200) returned 1 [0086.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.591] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0086.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.591] lstrlenW (lpString=".doc") returned 4 [0086.591] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.591] lstrlenW (lpString=".docx") returned 5 [0086.591] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.591] lstrlenW (lpString=".pdf") returned 4 [0086.591] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.591] lstrlenW (lpString=".xls") returned 4 [0086.591] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.591] lstrlenW (lpString=".xlsx") returned 5 [0086.591] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.592] lstrlenW (lpString=".ppt") returned 4 [0086.592] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString=".zip") returned 4 [0086.592] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.592] lstrlenW (lpString=".rar") returned 4 [0086.592] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.592] lstrlenW (lpString=".bz2") returned 4 [0086.592] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.592] lstrlenW (lpString=".7z") returned 3 [0086.592] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString=".dbf") returned 4 [0086.592] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString=".1cd") returned 4 [0086.592] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString=".jpg") returned 4 [0086.592] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.592] lstrlenW (lpString=".doc") returned 4 [0086.592] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.592] lstrlenW (lpString=".docx") returned 5 [0086.592] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.592] lstrlenW (lpString=".pdf") returned 4 [0086.593] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.593] lstrlenW (lpString=".xls") returned 4 [0086.593] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.593] lstrlenW (lpString=".xlsx") returned 5 [0086.593] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.593] lstrlenW (lpString=".ppt") returned 4 [0086.593] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.593] lstrlenW (lpString=".zip") returned 4 [0086.593] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.593] lstrlenW (lpString=".rar") returned 4 [0086.593] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.593] lstrlenW (lpString=".bz2") returned 4 [0086.593] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.593] lstrlenW (lpString=".7z") returned 3 [0086.593] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.593] lstrlenW (lpString=".dbf") returned 4 [0086.593] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.593] lstrlenW (lpString=".1cd") returned 4 [0086.593] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0086.593] lstrlenW (lpString=".jpg") returned 4 [0086.593] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.594] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.594] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0086.594] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2604) returned 1 [0086.594] CloseHandle (hObject=0x200) returned 1 [0086.594] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0086.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0086.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.595] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0087.357] GetLastError () returned 0x0 [0087.357] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xa2c, lpOverlapped=0x0) returned 1 [0087.362] WriteFile (in: hFile=0x214, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0087.364] ReadFile (in: hFile=0x200, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0087.364] WriteFile (in: hFile=0x214, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0087.364] SetEndOfFile (hFile=0x214) returned 1 [0087.364] CloseHandle (hObject=0x214) returned 1 [0087.364] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.364] SetEndOfFile (hFile=0x200) returned 1 [0087.365] CloseHandle (hObject=0x200) returned 1 [0087.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0087.564] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0087.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.564] lstrlenW (lpString=".doc") returned 4 [0087.564] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0087.564] lstrlenW (lpString=".docx") returned 5 [0087.564] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0087.564] lstrlenW (lpString=".pdf") returned 4 [0087.564] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0087.564] lstrlenW (lpString=".xls") returned 4 [0087.564] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0087.564] lstrlenW (lpString=".xlsx") returned 5 [0087.564] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0087.565] lstrlenW (lpString=".ppt") returned 4 [0087.565] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString=".zip") returned 4 [0087.565] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0087.565] lstrlenW (lpString=".rar") returned 4 [0087.565] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0087.565] lstrlenW (lpString=".bz2") returned 4 [0087.565] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0087.565] lstrlenW (lpString=".7z") returned 3 [0087.565] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString=".dbf") returned 4 [0087.565] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString=".1cd") returned 4 [0087.565] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString=".jpg") returned 4 [0087.565] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.565] lstrlenW (lpString=".doc") returned 4 [0087.565] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0087.565] lstrlenW (lpString=".docx") returned 5 [0087.565] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0087.565] lstrlenW (lpString=".pdf") returned 4 [0087.566] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0087.566] lstrlenW (lpString=".xls") returned 4 [0087.566] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0087.566] lstrlenW (lpString=".xlsx") returned 5 [0087.566] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0087.566] lstrlenW (lpString=".ppt") returned 4 [0087.566] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0087.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.566] lstrlenW (lpString=".zip") returned 4 [0087.566] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0087.566] lstrlenW (lpString=".rar") returned 4 [0087.566] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0087.566] lstrlenW (lpString=".bz2") returned 4 [0087.566] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0087.566] lstrlenW (lpString=".7z") returned 3 [0087.566] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0087.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.566] lstrlenW (lpString=".dbf") returned 4 [0087.566] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0087.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.566] lstrlenW (lpString=".1cd") returned 4 [0087.566] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0087.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0087.566] lstrlenW (lpString=".jpg") returned 4 [0087.566] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0087.567] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0087.567] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0087.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0087.668] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3611) returned 1 [0087.668] CloseHandle (hObject=0x1d0) returned 1 [0087.668] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0087.671] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0087.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0087.678] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.678] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0088.236] GetLastError () returned 0x0 [0088.236] ReadFile (in: hFile=0x1e4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0088.438] WriteFile (in: hFile=0x1fc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0088.439] ReadFile (in: hFile=0x1e4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0088.439] WriteFile (in: hFile=0x1fc, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0088.439] SetEndOfFile (hFile=0x1fc) returned 1 [0088.439] CloseHandle (hObject=0x1fc) returned 1 [0088.439] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.440] SetEndOfFile (hFile=0x1e4) returned 1 [0088.440] CloseHandle (hObject=0x1e4) returned 1 [0088.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0088.441] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0088.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.441] lstrlenW (lpString=".doc") returned 4 [0088.441] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0088.441] lstrlenW (lpString=".docx") returned 5 [0088.441] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0088.441] lstrlenW (lpString=".pdf") returned 4 [0088.441] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0088.441] lstrlenW (lpString=".xls") returned 4 [0088.441] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0088.441] lstrlenW (lpString=".xlsx") returned 5 [0088.441] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0088.441] lstrlenW (lpString=".ppt") returned 4 [0088.441] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0088.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.441] lstrlenW (lpString=".zip") returned 4 [0088.442] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".rar") returned 4 [0088.442] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".bz2") returned 4 [0088.442] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0088.442] lstrlenW (lpString=".7z") returned 3 [0088.442] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString=".dbf") returned 4 [0088.442] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString=".1cd") returned 4 [0088.442] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString=".jpg") returned 4 [0088.442] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString=".doc") returned 4 [0088.442] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0088.442] lstrlenW (lpString=".docx") returned 5 [0088.442] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0088.442] lstrlenW (lpString=".pdf") returned 4 [0088.442] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".xls") returned 4 [0088.442] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".xlsx") returned 5 [0088.442] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0088.442] lstrlenW (lpString=".ppt") returned 4 [0088.442] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.442] lstrlenW (lpString=".zip") returned 4 [0088.442] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".rar") returned 4 [0088.442] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0088.442] lstrlenW (lpString=".bz2") returned 4 [0088.443] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0088.443] lstrlenW (lpString=".7z") returned 3 [0088.443] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0088.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.443] lstrlenW (lpString=".dbf") returned 4 [0088.443] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0088.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.443] lstrlenW (lpString=".1cd") returned 4 [0088.443] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0088.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0088.443] lstrlenW (lpString=".jpg") returned 4 [0088.443] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0088.443] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0088.443] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0088.443] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0089.603] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=1009) returned 1 [0089.603] CloseHandle (hObject=0x1e8) returned 1 [0089.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0089.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0089.603] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.603] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.604] GetLastError () returned 0x0 [0089.604] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0089.848] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x400, lpOverlapped=0x0) returned 1 [0089.854] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.855] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0089.855] SetEndOfFile (hFile=0x204) returned 1 [0089.855] CloseHandle (hObject=0x204) returned 1 [0089.855] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.855] SetEndOfFile (hFile=0x1e8) returned 1 [0089.856] CloseHandle (hObject=0x1e8) returned 1 [0089.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.856] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0089.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.857] lstrlenW (lpString=".doc") returned 4 [0089.857] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.857] lstrlenW (lpString=".docx") returned 5 [0089.857] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.857] lstrlenW (lpString=".pdf") returned 4 [0089.857] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.857] lstrlenW (lpString=".xls") returned 4 [0089.857] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.857] lstrlenW (lpString=".xlsx") returned 5 [0089.857] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.857] lstrlenW (lpString=".ppt") returned 4 [0089.857] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.857] lstrlenW (lpString=".zip") returned 4 [0089.857] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.857] lstrlenW (lpString=".rar") returned 4 [0089.857] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.857] lstrlenW (lpString=".bz2") returned 4 [0089.857] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.857] lstrlenW (lpString=".7z") returned 3 [0089.857] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString=".dbf") returned 4 [0089.858] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString=".1cd") returned 4 [0089.858] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString=".jpg") returned 4 [0089.858] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString=".doc") returned 4 [0089.858] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.858] lstrlenW (lpString=".docx") returned 5 [0089.858] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.858] lstrlenW (lpString=".pdf") returned 4 [0089.858] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString=".xls") returned 4 [0089.858] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString=".xlsx") returned 5 [0089.858] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.858] lstrlenW (lpString=".ppt") returned 4 [0089.858] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.858] lstrlenW (lpString=".zip") returned 4 [0089.858] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString=".rar") returned 4 [0089.858] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.858] lstrlenW (lpString=".bz2") returned 4 [0089.858] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.859] lstrlenW (lpString=".7z") returned 3 [0089.859] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.859] lstrlenW (lpString=".dbf") returned 4 [0089.859] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.859] lstrlenW (lpString=".1cd") returned 4 [0089.859] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0089.859] lstrlenW (lpString=".jpg") returned 4 [0089.859] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.859] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0089.859] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0089.859] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0089.860] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=33479) returned 1 [0089.860] CloseHandle (hObject=0x1e8) returned 1 [0089.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0089.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0089.860] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.860] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.861] GetLastError () returned 0x0 [0089.861] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x82c7, lpOverlapped=0x0) returned 1 [0089.912] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0089.916] ReadFile (in: hFile=0x1e8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.916] WriteFile (in: hFile=0x204, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0089.916] SetEndOfFile (hFile=0x204) returned 1 [0089.916] CloseHandle (hObject=0x204) returned 1 [0089.917] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.917] SetEndOfFile (hFile=0x1e8) returned 1 [0089.918] CloseHandle (hObject=0x1e8) returned 1 [0089.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.918] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0089.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.919] lstrlenW (lpString=".doc") returned 4 [0089.919] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.919] lstrlenW (lpString=".docx") returned 5 [0089.919] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.919] lstrlenW (lpString=".pdf") returned 4 [0089.919] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.919] lstrlenW (lpString=".xls") returned 4 [0089.919] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.919] lstrlenW (lpString=".xlsx") returned 5 [0089.919] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.919] lstrlenW (lpString=".ppt") returned 4 [0089.919] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.919] lstrlenW (lpString=".zip") returned 4 [0089.919] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.919] lstrlenW (lpString=".rar") returned 4 [0089.919] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.919] lstrlenW (lpString=".bz2") returned 4 [0089.919] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.919] lstrlenW (lpString=".7z") returned 3 [0089.919] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.919] lstrlenW (lpString=".dbf") returned 4 [0089.919] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.920] lstrlenW (lpString=".1cd") returned 4 [0089.920] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.920] lstrlenW (lpString=".jpg") returned 4 [0089.920] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.920] lstrlenW (lpString=".doc") returned 4 [0089.920] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.920] lstrlenW (lpString=".docx") returned 5 [0089.920] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.920] lstrlenW (lpString=".pdf") returned 4 [0089.920] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.920] lstrlenW (lpString=".xls") returned 4 [0089.920] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.920] lstrlenW (lpString=".xlsx") returned 5 [0089.920] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.920] lstrlenW (lpString=".ppt") returned 4 [0089.920] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.920] lstrlenW (lpString=".zip") returned 4 [0089.920] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.920] lstrlenW (lpString=".rar") returned 4 [0089.920] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.920] lstrlenW (lpString=".bz2") returned 4 [0089.920] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.920] lstrlenW (lpString=".7z") returned 3 [0089.920] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.921] lstrlenW (lpString=".dbf") returned 4 [0089.921] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.921] lstrlenW (lpString=".1cd") returned 4 [0089.921] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0089.921] lstrlenW (lpString=".jpg") returned 4 [0089.921] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.921] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0089.921] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0089.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.934] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=18380) returned 1 [0089.934] CloseHandle (hObject=0x204) returned 1 [0089.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0089.937] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.948] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.948] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0089.949] GetLastError () returned 0x0 [0089.949] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0089.964] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0089.965] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.965] WriteFile (in: hFile=0x20c, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0089.965] SetEndOfFile (hFile=0x20c) returned 1 [0089.966] CloseHandle (hObject=0x20c) returned 1 [0089.966] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.966] SetEndOfFile (hFile=0x204) returned 1 [0089.967] CloseHandle (hObject=0x204) returned 1 [0089.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.968] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0089.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.968] lstrlenW (lpString=".doc") returned 4 [0089.968] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.968] lstrlenW (lpString=".docx") returned 5 [0089.968] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.968] lstrlenW (lpString=".pdf") returned 4 [0089.968] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.968] lstrlenW (lpString=".xls") returned 4 [0089.968] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.968] lstrlenW (lpString=".xlsx") returned 5 [0089.968] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.968] lstrlenW (lpString=".ppt") returned 4 [0089.968] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.968] lstrlenW (lpString=".zip") returned 4 [0089.968] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.968] lstrlenW (lpString=".rar") returned 4 [0089.968] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.968] lstrlenW (lpString=".bz2") returned 4 [0089.969] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString=".7z") returned 3 [0089.969] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.969] lstrlenW (lpString=".dbf") returned 4 [0089.969] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.969] lstrlenW (lpString=".1cd") returned 4 [0089.969] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.969] lstrlenW (lpString=".jpg") returned 4 [0089.969] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.969] lstrlenW (lpString=".doc") returned 4 [0089.969] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString=".docx") returned 5 [0089.969] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.969] lstrlenW (lpString=".pdf") returned 4 [0089.969] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.969] lstrlenW (lpString=".xls") returned 4 [0089.969] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.969] lstrlenW (lpString=".xlsx") returned 5 [0089.969] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.969] lstrlenW (lpString=".ppt") returned 4 [0089.969] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.970] lstrlenW (lpString=".zip") returned 4 [0089.970] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.970] lstrlenW (lpString=".rar") returned 4 [0089.970] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.970] lstrlenW (lpString=".bz2") returned 4 [0089.970] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.970] lstrlenW (lpString=".7z") returned 3 [0089.970] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.970] lstrlenW (lpString=".dbf") returned 4 [0089.970] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.970] lstrlenW (lpString=".1cd") returned 4 [0089.970] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0089.970] lstrlenW (lpString=".jpg") returned 4 [0089.970] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.970] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0089.970] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0089.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.971] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=2668) returned 1 [0089.971] CloseHandle (hObject=0x204) returned 1 [0089.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 0x20 [0089.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0089.971] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.971] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0090.417] GetLastError () returned 0x0 [0090.417] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0xa6c, lpOverlapped=0x0) returned 1 [0090.419] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xa70, lpOverlapped=0x0) returned 1 [0090.420] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.420] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0090.420] SetEndOfFile (hFile=0x1d8) returned 1 [0090.420] CloseHandle (hObject=0x1d8) returned 1 [0090.421] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.421] SetEndOfFile (hFile=0x204) returned 1 [0090.422] CloseHandle (hObject=0x204) returned 1 [0090.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.422] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0090.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.422] lstrlenW (lpString=".doc") returned 4 [0090.422] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0090.422] lstrlenW (lpString=".docx") returned 5 [0090.422] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0090.422] lstrlenW (lpString=".pdf") returned 4 [0090.422] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0090.422] lstrlenW (lpString=".xls") returned 4 [0090.422] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0090.422] lstrlenW (lpString=".xlsx") returned 5 [0090.423] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0090.423] lstrlenW (lpString=".ppt") returned 4 [0090.423] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString=".zip") returned 4 [0090.423] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString=".rar") returned 4 [0090.423] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString=".bz2") returned 4 [0090.423] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0090.423] lstrlenW (lpString=".7z") returned 3 [0090.423] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString=".dbf") returned 4 [0090.423] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString=".1cd") returned 4 [0090.423] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString=".jpg") returned 4 [0090.423] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.423] lstrlenW (lpString=".doc") returned 4 [0090.423] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0090.423] lstrlenW (lpString=".docx") returned 5 [0090.423] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0090.423] lstrlenW (lpString=".pdf") returned 4 [0090.423] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString=".xls") returned 4 [0090.423] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0090.423] lstrlenW (lpString=".xlsx") returned 5 [0090.423] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0090.423] lstrlenW (lpString=".ppt") returned 4 [0090.424] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0090.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.424] lstrlenW (lpString=".zip") returned 4 [0090.424] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0090.424] lstrlenW (lpString=".rar") returned 4 [0090.424] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0090.424] lstrlenW (lpString=".bz2") returned 4 [0090.424] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0090.424] lstrlenW (lpString=".7z") returned 3 [0090.424] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0090.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.424] lstrlenW (lpString=".dbf") returned 4 [0090.424] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0090.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.424] lstrlenW (lpString=".1cd") returned 4 [0090.424] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0090.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0090.424] lstrlenW (lpString=".jpg") returned 4 [0090.424] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0090.424] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.424] lstrlenW (lpString="FM20.CHM") returned 8 [0090.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.426] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=334427) returned 1 [0090.426] CloseHandle (hObject=0x204) returned 1 [0090.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 0x20 [0090.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.426] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.426] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0090.427] GetLastError () returned 0x0 [0090.427] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0090.437] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0090.443] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.443] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0090.443] SetEndOfFile (hFile=0x1d8) returned 1 [0090.444] CloseHandle (hObject=0x1d8) returned 1 [0090.444] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.444] SetEndOfFile (hFile=0x204) returned 1 [0090.447] CloseHandle (hObject=0x204) returned 1 [0090.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.448] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0090.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.448] lstrlenW (lpString=".doc") returned 4 [0090.448] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.448] lstrlenW (lpString=".docx") returned 5 [0090.448] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0090.448] lstrlenW (lpString=".pdf") returned 4 [0090.448] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.448] lstrlenW (lpString=".xls") returned 4 [0090.448] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.448] lstrlenW (lpString=".xlsx") returned 5 [0090.448] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0090.448] lstrlenW (lpString=".ppt") returned 4 [0090.449] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString=".zip") returned 4 [0090.449] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString=".rar") returned 4 [0090.449] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString=".bz2") returned 4 [0090.449] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.449] lstrlenW (lpString=".7z") returned 3 [0090.449] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString=".dbf") returned 4 [0090.449] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString=".1cd") returned 4 [0090.449] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString=".jpg") returned 4 [0090.449] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.449] lstrlenW (lpString=".doc") returned 4 [0090.449] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString=".docx") returned 5 [0090.449] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0090.449] lstrlenW (lpString=".pdf") returned 4 [0090.449] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString=".xls") returned 4 [0090.449] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.449] lstrlenW (lpString=".xlsx") returned 5 [0090.449] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0090.450] lstrlenW (lpString=".ppt") returned 4 [0090.450] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.450] lstrlenW (lpString=".zip") returned 4 [0090.450] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.450] lstrlenW (lpString=".rar") returned 4 [0090.450] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.450] lstrlenW (lpString=".bz2") returned 4 [0090.450] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.450] lstrlenW (lpString=".7z") returned 3 [0090.450] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.450] lstrlenW (lpString=".dbf") returned 4 [0090.450] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.450] lstrlenW (lpString=".1cd") returned 4 [0090.450] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0090.450] lstrlenW (lpString=".jpg") returned 4 [0090.450] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.450] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.450] lstrlenW (lpString="VBCN6.CHM") returned 9 [0090.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.451] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=109718) returned 1 [0090.451] CloseHandle (hObject=0x204) returned 1 [0090.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0090.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.451] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.451] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0090.452] GetLastError () returned 0x0 [0090.452] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0090.632] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0090.636] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.636] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0090.636] SetEndOfFile (hFile=0x1d8) returned 1 [0090.636] CloseHandle (hObject=0x1d8) returned 1 [0090.637] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.637] SetEndOfFile (hFile=0x204) returned 1 [0090.639] CloseHandle (hObject=0x204) returned 1 [0090.639] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.640] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0090.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.640] lstrlenW (lpString=".doc") returned 4 [0090.640] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.640] lstrlenW (lpString=".docx") returned 5 [0090.640] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.640] lstrlenW (lpString=".pdf") returned 4 [0090.640] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.640] lstrlenW (lpString=".xls") returned 4 [0090.640] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.640] lstrlenW (lpString=".xlsx") returned 5 [0090.640] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.640] lstrlenW (lpString=".ppt") returned 4 [0090.640] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.640] lstrlenW (lpString=".zip") returned 4 [0090.640] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.640] lstrlenW (lpString=".rar") returned 4 [0090.641] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString=".bz2") returned 4 [0090.641] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.641] lstrlenW (lpString=".7z") returned 3 [0090.641] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.641] lstrlenW (lpString=".dbf") returned 4 [0090.641] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.641] lstrlenW (lpString=".1cd") returned 4 [0090.641] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.641] lstrlenW (lpString=".jpg") returned 4 [0090.641] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.641] lstrlenW (lpString=".doc") returned 4 [0090.641] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString=".docx") returned 5 [0090.641] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.641] lstrlenW (lpString=".pdf") returned 4 [0090.641] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString=".xls") returned 4 [0090.641] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.641] lstrlenW (lpString=".xlsx") returned 5 [0090.642] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.642] lstrlenW (lpString=".ppt") returned 4 [0090.642] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.642] lstrlenW (lpString=".zip") returned 4 [0090.642] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.642] lstrlenW (lpString=".rar") returned 4 [0090.642] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.642] lstrlenW (lpString=".bz2") returned 4 [0090.642] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.642] lstrlenW (lpString=".7z") returned 3 [0090.642] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.642] lstrlenW (lpString=".dbf") returned 4 [0090.642] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.642] lstrlenW (lpString=".1cd") returned 4 [0090.642] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0090.642] lstrlenW (lpString=".jpg") returned 4 [0090.642] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.642] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.643] lstrlenW (lpString="VBOB6.CHM") returned 9 [0090.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.643] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=123956) returned 1 [0090.643] CloseHandle (hObject=0x204) returned 1 [0090.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0090.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0090.644] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.644] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0090.644] GetLastError () returned 0x0 [0090.644] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0090.649] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0090.653] ReadFile (in: hFile=0x204, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.653] WriteFile (in: hFile=0x1d8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0090.654] SetEndOfFile (hFile=0x1d8) returned 1 [0090.654] CloseHandle (hObject=0x1d8) returned 1 [0090.654] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.654] SetEndOfFile (hFile=0x204) returned 1 [0090.656] CloseHandle (hObject=0x204) returned 1 [0090.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.660] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0090.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.661] lstrlenW (lpString=".doc") returned 4 [0090.661] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString=".docx") returned 5 [0090.661] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.661] lstrlenW (lpString=".pdf") returned 4 [0090.661] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString=".xls") returned 4 [0090.661] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString=".xlsx") returned 5 [0090.661] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.661] lstrlenW (lpString=".ppt") returned 4 [0090.661] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.661] lstrlenW (lpString=".zip") returned 4 [0090.661] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString=".rar") returned 4 [0090.661] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.661] lstrlenW (lpString=".bz2") returned 4 [0090.661] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.661] lstrlenW (lpString=".7z") returned 3 [0090.661] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString=".dbf") returned 4 [0090.662] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString=".1cd") returned 4 [0090.662] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString=".jpg") returned 4 [0090.662] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString=".doc") returned 4 [0090.662] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString=".docx") returned 5 [0090.662] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.662] lstrlenW (lpString=".pdf") returned 4 [0090.662] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString=".xls") returned 4 [0090.662] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString=".xlsx") returned 5 [0090.662] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.662] lstrlenW (lpString=".ppt") returned 4 [0090.662] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.662] lstrlenW (lpString=".zip") returned 4 [0090.662] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.662] lstrlenW (lpString=".rar") returned 4 [0090.663] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.663] lstrlenW (lpString=".bz2") returned 4 [0090.663] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.663] lstrlenW (lpString=".7z") returned 3 [0090.663] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.663] lstrlenW (lpString=".dbf") returned 4 [0090.663] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.663] lstrlenW (lpString=".1cd") returned 4 [0090.663] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0090.663] lstrlenW (lpString=".jpg") returned 4 [0090.663] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.663] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.663] lstrlenW (lpString="VBUI6.CHM") returned 9 [0090.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0092.498] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=416918) returned 1 [0092.498] CloseHandle (hObject=0x1d8) returned 1 [0092.498] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0092.498] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0092.499] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.499] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0092.499] GetLastError () returned 0x0 [0092.500] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0092.512] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0092.521] ReadFile (in: hFile=0x1d8, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0092.521] WriteFile (in: hFile=0x1e8, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0092.521] SetEndOfFile (hFile=0x1e8) returned 1 [0092.522] CloseHandle (hObject=0x1e8) returned 1 [0092.522] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.522] SetEndOfFile (hFile=0x1d8) returned 1 [0092.527] CloseHandle (hObject=0x1d8) returned 1 [0092.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.527] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0092.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.528] lstrlenW (lpString=".doc") returned 4 [0092.528] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString=".docx") returned 5 [0092.528] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0092.528] lstrlenW (lpString=".pdf") returned 4 [0092.528] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString=".xls") returned 4 [0092.528] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString=".xlsx") returned 5 [0092.528] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0092.528] lstrlenW (lpString=".ppt") returned 4 [0092.528] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.528] lstrlenW (lpString=".zip") returned 4 [0092.528] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString=".rar") returned 4 [0092.528] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0092.528] lstrlenW (lpString=".bz2") returned 4 [0092.528] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0092.528] lstrlenW (lpString=".7z") returned 3 [0092.529] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString=".dbf") returned 4 [0092.529] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString=".1cd") returned 4 [0092.529] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString=".jpg") returned 4 [0092.529] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString=".doc") returned 4 [0092.529] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString=".docx") returned 5 [0092.529] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0092.529] lstrlenW (lpString=".pdf") returned 4 [0092.529] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString=".xls") returned 4 [0092.529] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString=".xlsx") returned 5 [0092.529] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0092.529] lstrlenW (lpString=".ppt") returned 4 [0092.529] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0092.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.529] lstrlenW (lpString=".zip") returned 4 [0092.530] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0092.530] lstrlenW (lpString=".rar") returned 4 [0092.530] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0092.530] lstrlenW (lpString=".bz2") returned 4 [0092.530] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0092.530] lstrlenW (lpString=".7z") returned 3 [0092.530] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0092.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.530] lstrlenW (lpString=".dbf") returned 4 [0092.530] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0092.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.530] lstrlenW (lpString=".1cd") returned 4 [0092.530] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0092.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0092.530] lstrlenW (lpString=".jpg") returned 4 [0092.530] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0092.530] lstrcmpiW (lpString1=".config", lpString2=".mnbzr") returned -1 [0092.530] lstrlenW (lpString="VSTOInstaller.config") returned 20 [0092.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0092.787] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=716) returned 1 [0092.787] CloseHandle (hObject=0x1e4) returned 1 [0092.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 0x20 [0092.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0092.788] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.788] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0092.788] GetLastError () returned 0x0 [0092.788] ReadFile (in: hFile=0x1e4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x2cc, lpOverlapped=0x0) returned 1 [0092.792] WriteFile (in: hFile=0x210, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0092.793] ReadFile (in: hFile=0x1e4, lpBuffer=0x30c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c1fed4, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesRead=0x2c1fed4*=0x0, lpOverlapped=0x0) returned 1 [0092.793] WriteFile (in: hFile=0x210, lpBuffer=0x30c0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2c1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30c0020*, lpNumberOfBytesWritten=0x2c1fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0092.794] SetEndOfFile (hFile=0x210) returned 1 [0092.794] CloseHandle (hObject=0x210) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c1fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.794] SetEndOfFile (hFile=0x1e4) returned 1 [0092.795] CloseHandle (hObject=0x1e4) returned 1 [0092.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.796] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0092.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.796] lstrlenW (lpString=".doc") returned 4 [0092.796] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0092.796] lstrlenW (lpString=".docx") returned 5 [0092.796] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0092.796] lstrlenW (lpString=".pdf") returned 4 [0092.796] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0092.796] lstrlenW (lpString=".xls") returned 4 [0092.796] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0092.796] lstrlenW (lpString=".xlsx") returned 5 [0092.796] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0092.796] lstrlenW (lpString=".ppt") returned 4 [0092.796] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0092.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.796] lstrlenW (lpString=".zip") returned 4 [0092.796] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0092.796] lstrlenW (lpString=".rar") returned 4 [0092.796] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString=".bz2") returned 4 [0092.797] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString=".7z") returned 3 [0092.797] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0092.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.797] lstrlenW (lpString=".dbf") returned 4 [0092.797] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.797] lstrlenW (lpString=".1cd") returned 4 [0092.797] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.797] lstrlenW (lpString=".jpg") returned 4 [0092.797] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.797] lstrlenW (lpString=".doc") returned 4 [0092.797] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0092.797] lstrlenW (lpString=".docx") returned 5 [0092.797] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0092.797] lstrlenW (lpString=".pdf") returned 4 [0092.797] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString=".xls") returned 4 [0092.798] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString=".xlsx") returned 5 [0092.798] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0092.798] lstrlenW (lpString=".ppt") returned 4 [0092.798] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.798] lstrlenW (lpString=".zip") returned 4 [0092.798] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString=".rar") returned 4 [0092.798] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString=".bz2") returned 4 [0092.798] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString=".7z") returned 3 [0092.798] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0092.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.798] lstrlenW (lpString=".dbf") returned 4 [0092.798] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.798] lstrlenW (lpString=".1cd") returned 4 [0092.798] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0092.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0092.798] lstrlenW (lpString=".jpg") returned 4 [0092.798] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0092.799] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0092.799] lstrlenW (lpString="adovbs.inc") returned 10 [0092.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.064] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=14951) returned 1 [0093.064] CloseHandle (hObject=0x1f4) returned 1 [0093.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0093.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.065] lstrlenW (lpString=".doc") returned 4 [0093.065] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.065] lstrlenW (lpString=".docx") returned 5 [0093.065] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.065] lstrlenW (lpString=".pdf") returned 4 [0093.065] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.065] lstrlenW (lpString=".xls") returned 4 [0093.065] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.065] lstrlenW (lpString=".xlsx") returned 5 [0093.065] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.065] lstrlenW (lpString=".ppt") returned 4 [0093.065] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.065] lstrlenW (lpString=".zip") returned 4 [0093.065] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.065] lstrlenW (lpString=".rar") returned 4 [0093.065] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.066] lstrlenW (lpString=".bz2") returned 4 [0093.066] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.066] lstrlenW (lpString=".7z") returned 3 [0093.066] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.066] lstrlenW (lpString=".dbf") returned 4 [0093.066] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.066] lstrlenW (lpString=".1cd") returned 4 [0093.066] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.066] lstrlenW (lpString=".jpg") returned 4 [0093.066] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.066] lstrlenW (lpString=".doc") returned 4 [0093.066] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.066] lstrlenW (lpString=".docx") returned 5 [0093.066] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.066] lstrlenW (lpString=".pdf") returned 4 [0093.066] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.066] lstrlenW (lpString=".xls") returned 4 [0093.066] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.066] lstrlenW (lpString=".xlsx") returned 5 [0093.066] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.067] lstrlenW (lpString=".ppt") returned 4 [0093.067] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.067] lstrlenW (lpString=".zip") returned 4 [0093.067] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.067] lstrlenW (lpString=".rar") returned 4 [0093.067] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.067] lstrlenW (lpString=".bz2") returned 4 [0093.067] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.067] lstrlenW (lpString=".7z") returned 3 [0093.067] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.067] lstrlenW (lpString=".dbf") returned 4 [0093.067] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.067] lstrlenW (lpString=".1cd") returned 4 [0093.067] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0093.067] lstrlenW (lpString=".jpg") returned 4 [0093.067] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.067] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.067] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0093.068] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.071] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=10123) returned 1 [0093.071] CloseHandle (hObject=0x1f4) returned 1 [0093.071] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0093.071] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.071] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.071] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.071] lstrlenW (lpString=".doc") returned 4 [0093.071] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.071] lstrlenW (lpString=".docx") returned 5 [0093.071] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0093.071] lstrlenW (lpString=".pdf") returned 4 [0093.071] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.071] lstrlenW (lpString=".xls") returned 4 [0093.071] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.072] lstrlenW (lpString=".xlsx") returned 5 [0093.072] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0093.072] lstrlenW (lpString=".ppt") returned 4 [0093.072] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString=".zip") returned 4 [0093.072] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.072] lstrlenW (lpString=".rar") returned 4 [0093.072] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.072] lstrlenW (lpString=".bz2") returned 4 [0093.072] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.072] lstrlenW (lpString=".7z") returned 3 [0093.072] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString=".dbf") returned 4 [0093.072] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString=".1cd") returned 4 [0093.072] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString=".jpg") returned 4 [0093.072] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.072] lstrlenW (lpString=".doc") returned 4 [0093.072] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.073] lstrlenW (lpString=".docx") returned 5 [0093.073] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0093.073] lstrlenW (lpString=".pdf") returned 4 [0093.073] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.073] lstrlenW (lpString=".xls") returned 4 [0093.073] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.073] lstrlenW (lpString=".xlsx") returned 5 [0093.073] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0093.073] lstrlenW (lpString=".ppt") returned 4 [0093.073] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.073] lstrlenW (lpString=".zip") returned 4 [0093.073] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.073] lstrlenW (lpString=".rar") returned 4 [0093.073] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.073] lstrlenW (lpString=".bz2") returned 4 [0093.073] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.073] lstrlenW (lpString=".7z") returned 3 [0093.073] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.073] lstrlenW (lpString=".dbf") returned 4 [0093.073] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.073] lstrlenW (lpString=".1cd") returned 4 [0093.073] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.073] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0093.073] lstrlenW (lpString=".jpg") returned 4 [0093.074] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.074] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.074] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0093.074] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.074] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3286) returned 1 [0093.074] CloseHandle (hObject=0x1f4) returned 1 [0093.074] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png")) returned 0x20 [0093.074] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.075] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.075] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.075] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.075] lstrlenW (lpString=".doc") returned 4 [0093.075] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.075] lstrlenW (lpString=".docx") returned 5 [0093.075] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0093.075] lstrlenW (lpString=".pdf") returned 4 [0093.075] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.075] lstrlenW (lpString=".xls") returned 4 [0093.075] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.075] lstrlenW (lpString=".xlsx") returned 5 [0093.075] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0093.075] lstrlenW (lpString=".ppt") returned 4 [0093.075] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.075] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.075] lstrlenW (lpString=".zip") returned 4 [0093.075] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.075] lstrlenW (lpString=".rar") returned 4 [0093.075] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.075] lstrlenW (lpString=".bz2") returned 4 [0093.075] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.075] lstrlenW (lpString=".7z") returned 3 [0093.075] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.076] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.076] lstrlenW (lpString=".dbf") returned 4 [0093.076] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.076] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.076] lstrlenW (lpString=".1cd") returned 4 [0093.076] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.076] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.076] lstrlenW (lpString=".jpg") returned 4 [0093.076] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.076] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.076] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.076] lstrlenW (lpString=".doc") returned 4 [0093.076] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.076] lstrlenW (lpString=".docx") returned 5 [0093.076] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0093.076] lstrlenW (lpString=".pdf") returned 4 [0093.076] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.076] lstrlenW (lpString=".xls") returned 4 [0093.076] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.076] lstrlenW (lpString=".xlsx") returned 5 [0093.076] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0093.076] lstrlenW (lpString=".ppt") returned 4 [0093.076] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.077] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.077] lstrlenW (lpString=".zip") returned 4 [0093.077] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.077] lstrlenW (lpString=".rar") returned 4 [0093.077] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.077] lstrlenW (lpString=".bz2") returned 4 [0093.077] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.077] lstrlenW (lpString=".7z") returned 3 [0093.077] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.077] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.077] lstrlenW (lpString=".dbf") returned 4 [0093.077] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.077] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.077] lstrlenW (lpString=".1cd") returned 4 [0093.077] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.077] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 84 [0093.077] lstrlenW (lpString=".jpg") returned 4 [0093.077] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.077] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.078] lstrlenW (lpString="16to9Squareframe_VideoInset.png") returned 31 [0093.078] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.079] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3316) returned 1 [0093.079] CloseHandle (hObject=0x1f4) returned 1 [0093.079] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png")) returned 0x20 [0093.079] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.079] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.079] lstrlenW (lpString=".doc") returned 4 [0093.079] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.079] lstrlenW (lpString=".docx") returned 5 [0093.079] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0093.079] lstrlenW (lpString=".pdf") returned 4 [0093.079] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.079] lstrlenW (lpString=".xls") returned 4 [0093.079] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.079] lstrlenW (lpString=".xlsx") returned 5 [0093.079] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0093.080] lstrlenW (lpString=".ppt") returned 4 [0093.080] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString=".zip") returned 4 [0093.080] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.080] lstrlenW (lpString=".rar") returned 4 [0093.080] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.080] lstrlenW (lpString=".bz2") returned 4 [0093.080] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.080] lstrlenW (lpString=".7z") returned 3 [0093.080] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString=".dbf") returned 4 [0093.080] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString=".1cd") returned 4 [0093.080] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString=".jpg") returned 4 [0093.080] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.080] lstrlenW (lpString=".doc") returned 4 [0093.080] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.080] lstrlenW (lpString=".docx") returned 5 [0093.081] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0093.081] lstrlenW (lpString=".pdf") returned 4 [0093.081] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.081] lstrlenW (lpString=".xls") returned 4 [0093.081] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.081] lstrlenW (lpString=".xlsx") returned 5 [0093.081] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0093.081] lstrlenW (lpString=".ppt") returned 4 [0093.081] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.081] lstrlenW (lpString=".zip") returned 4 [0093.081] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.081] lstrlenW (lpString=".rar") returned 4 [0093.081] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.081] lstrlenW (lpString=".bz2") returned 4 [0093.081] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.081] lstrlenW (lpString=".7z") returned 3 [0093.081] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.081] lstrlenW (lpString=".dbf") returned 4 [0093.081] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.081] lstrlenW (lpString=".1cd") returned 4 [0093.081] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 75 [0093.081] lstrlenW (lpString=".jpg") returned 4 [0093.081] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.082] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.082] lstrlenW (lpString="4to3Squareframe_Buttongraphic.png") returned 33 [0093.082] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.082] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=11861) returned 1 [0093.082] CloseHandle (hObject=0x1f4) returned 1 [0093.082] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png")) returned 0x20 [0093.082] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.083] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.083] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.083] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.083] lstrlenW (lpString=".doc") returned 4 [0093.083] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.083] lstrlenW (lpString=".docx") returned 5 [0093.083] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0093.083] lstrlenW (lpString=".pdf") returned 4 [0093.083] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.083] lstrlenW (lpString=".xls") returned 4 [0093.083] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.083] lstrlenW (lpString=".xlsx") returned 5 [0093.083] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0093.083] lstrlenW (lpString=".ppt") returned 4 [0093.083] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.083] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.083] lstrlenW (lpString=".zip") returned 4 [0093.083] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.083] lstrlenW (lpString=".rar") returned 4 [0093.083] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.083] lstrlenW (lpString=".bz2") returned 4 [0093.083] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.083] lstrlenW (lpString=".7z") returned 3 [0093.083] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.084] lstrlenW (lpString=".dbf") returned 4 [0093.084] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.084] lstrlenW (lpString=".1cd") returned 4 [0093.084] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.084] lstrlenW (lpString=".jpg") returned 4 [0093.084] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.084] lstrlenW (lpString=".doc") returned 4 [0093.084] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.084] lstrlenW (lpString=".docx") returned 5 [0093.084] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0093.084] lstrlenW (lpString=".pdf") returned 4 [0093.084] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.084] lstrlenW (lpString=".xls") returned 4 [0093.084] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.084] lstrlenW (lpString=".xlsx") returned 5 [0093.084] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0093.084] lstrlenW (lpString=".ppt") returned 4 [0093.084] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.084] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.085] lstrlenW (lpString=".zip") returned 4 [0093.085] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.085] lstrlenW (lpString=".rar") returned 4 [0093.085] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.085] lstrlenW (lpString=".bz2") returned 4 [0093.085] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.085] lstrlenW (lpString=".7z") returned 3 [0093.085] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.085] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.085] lstrlenW (lpString=".dbf") returned 4 [0093.085] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0093.085] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.085] lstrlenW (lpString=".1cd") returned 4 [0093.085] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0093.085] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 77 [0093.085] lstrlenW (lpString=".jpg") returned 4 [0093.085] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0093.085] lstrcmpiW (lpString1=".png", lpString2=".mnbzr") returned 1 [0093.085] lstrlenW (lpString="4to3Squareframe_SelectionSubpicture.png") returned 39 [0093.085] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.086] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c1ff1c | out: lpFileSize=0x2c1ff1c*=3304) returned 1 [0093.086] CloseHandle (hObject=0x1f4) returned 1 [0093.086] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png")) returned 0x20 [0093.086] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.086] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.086] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0093.086] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0093.086] lstrlenW (lpString=".doc") returned 4 [0093.086] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0093.086] lstrlenW (lpString=".docx") returned 5 [0093.086] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0093.086] lstrlenW (lpString=".pdf") returned 4 [0093.086] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0093.086] lstrlenW (lpString=".xls") returned 4 [0093.086] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0093.086] lstrlenW (lpString=".xlsx") returned 5 [0093.086] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0093.086] lstrlenW (lpString=".ppt") returned 4 [0093.086] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0093.086] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0093.086] lstrlenW (lpString=".zip") returned 4 [0093.086] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0093.086] lstrlenW (lpString=".rar") returned 4 [0093.086] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0093.086] lstrlenW (lpString=".bz2") returned 4 [0093.087] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0093.087] lstrlenW (lpString=".7z") returned 3 [0093.087] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0093.087] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 83 [0093.087] lstrlenW (lpString=".dbf") returned 4 [0093.087] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 Thread: id = 12 os_tid = 0x7d4 [0066.905] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x31d0048 [0066.906] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x31e0050 [0066.906] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c70 [0066.906] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1000 [0066.906] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298c88 [0066.906] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x32d0020 [0066.907] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298ca0 [0066.907] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298ca0, Size=0x20) returned 0x2df448 [0066.907] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298ca0 [0066.907] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298ca0, Size=0x20) returned 0x2df3a8 [0066.907] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.907] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.907] Wow64DisableWow64FsRedirection (in: OldValue=0x2d5ff58 | out: OldValue=0x2d5ff58*=0x0) returned 1 [0066.908] lstrlenW (lpString="kernel32.dll") returned 12 [0066.908] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df448 | out: hHeap=0x240000) returned 1 [0066.908] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.908] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df3a8 | out: hHeap=0x240000) returned 1 [0066.908] Sleep (dwMilliseconds=0x64) [0067.052] Sleep (dwMilliseconds=0x64) [0067.509] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.509] lstrlenW (lpString="Setup.xml") returned 9 [0067.509] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.599] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2296) returned 1 [0067.600] CloseHandle (hObject=0x1ac) returned 1 [0067.600] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.600] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.600] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.600] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.600] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.600] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0067.602] GetLastError () returned 0x0 [0067.602] ReadFile (in: hFile=0x1ac, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0067.618] WriteFile (in: hFile=0x1b4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x900, lpOverlapped=0x0) returned 1 [0067.619] ReadFile (in: hFile=0x1ac, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.619] WriteFile (in: hFile=0x1b4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.619] SetEndOfFile (hFile=0x1b4) returned 1 [0067.619] CloseHandle (hObject=0x1b4) returned 1 [0067.623] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.623] SetEndOfFile (hFile=0x1ac) returned 1 [0067.624] CloseHandle (hObject=0x1ac) returned 1 [0067.624] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.624] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0067.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.624] lstrlenW (lpString=".doc") returned 4 [0067.624] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.624] lstrlenW (lpString=".docx") returned 5 [0067.624] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.625] lstrlenW (lpString=".pdf") returned 4 [0067.625] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".xls") returned 4 [0067.625] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".xlsx") returned 5 [0067.625] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.625] lstrlenW (lpString=".ppt") returned 4 [0067.625] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString=".zip") returned 4 [0067.625] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.625] lstrlenW (lpString=".rar") returned 4 [0067.625] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".bz2") returned 4 [0067.625] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".7z") returned 3 [0067.625] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString=".dbf") returned 4 [0067.625] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString=".1cd") returned 4 [0067.625] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString=".jpg") returned 4 [0067.625] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.625] lstrlenW (lpString=".doc") returned 4 [0067.625] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".docx") returned 5 [0067.625] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.625] lstrlenW (lpString=".pdf") returned 4 [0067.625] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.625] lstrlenW (lpString=".xls") returned 4 [0067.626] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString=".xlsx") returned 5 [0067.626] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.626] lstrlenW (lpString=".ppt") returned 4 [0067.626] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.626] lstrlenW (lpString=".zip") returned 4 [0067.626] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.626] lstrlenW (lpString=".rar") returned 4 [0067.626] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString=".bz2") returned 4 [0067.626] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString=".7z") returned 3 [0067.626] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.626] lstrlenW (lpString=".dbf") returned 4 [0067.626] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.626] lstrlenW (lpString=".1cd") returned 4 [0067.626] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.626] lstrlenW (lpString=".jpg") returned 4 [0067.626] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.626] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.626] lstrlenW (lpString="Setup.xml") returned 9 [0067.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.762] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1608) returned 1 [0067.762] CloseHandle (hObject=0x164) returned 1 [0067.762] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.762] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.762] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.763] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.763] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0067.763] GetLastError () returned 0x0 [0067.763] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x648, lpOverlapped=0x0) returned 1 [0067.769] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x650, lpOverlapped=0x0) returned 1 [0067.770] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.770] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.770] SetEndOfFile (hFile=0x1b0) returned 1 [0067.771] CloseHandle (hObject=0x1b0) returned 1 [0067.772] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.772] SetEndOfFile (hFile=0x164) returned 1 [0067.772] CloseHandle (hObject=0x164) returned 1 [0067.773] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.773] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0067.773] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.773] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.773] lstrlenW (lpString=".doc") returned 4 [0067.773] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.773] lstrlenW (lpString=".docx") returned 5 [0067.773] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.773] lstrlenW (lpString=".pdf") returned 4 [0067.773] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.773] lstrlenW (lpString=".xls") returned 4 [0067.773] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".xlsx") returned 5 [0067.774] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.774] lstrlenW (lpString=".ppt") returned 4 [0067.774] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString=".zip") returned 4 [0067.774] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.774] lstrlenW (lpString=".rar") returned 4 [0067.774] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".bz2") returned 4 [0067.774] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".7z") returned 3 [0067.774] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString=".dbf") returned 4 [0067.774] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString=".1cd") returned 4 [0067.774] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString=".jpg") returned 4 [0067.774] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.774] lstrlenW (lpString=".doc") returned 4 [0067.774] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".docx") returned 5 [0067.774] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.774] lstrlenW (lpString=".pdf") returned 4 [0067.774] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".xls") returned 4 [0067.774] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.774] lstrlenW (lpString=".xlsx") returned 5 [0067.774] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.775] lstrlenW (lpString=".ppt") returned 4 [0067.775] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.775] lstrlenW (lpString=".zip") returned 4 [0067.775] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.775] lstrlenW (lpString=".rar") returned 4 [0067.775] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.775] lstrlenW (lpString=".bz2") returned 4 [0067.775] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.775] lstrlenW (lpString=".7z") returned 3 [0067.775] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.775] lstrlenW (lpString=".dbf") returned 4 [0067.775] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.775] lstrlenW (lpString=".1cd") returned 4 [0067.775] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.775] lstrlenW (lpString=".jpg") returned 4 [0067.775] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.775] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.775] lstrlenW (lpString="Setup.xml") returned 9 [0067.775] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.776] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2424) returned 1 [0067.776] CloseHandle (hObject=0x164) returned 1 [0067.776] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0067.776] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.776] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.776] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.776] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.776] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0067.778] GetLastError () returned 0x0 [0067.778] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x978, lpOverlapped=0x0) returned 1 [0067.779] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x980, lpOverlapped=0x0) returned 1 [0067.780] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.780] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0067.781] SetEndOfFile (hFile=0x1b0) returned 1 [0067.781] CloseHandle (hObject=0x1b0) returned 1 [0067.783] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.783] SetEndOfFile (hFile=0x164) returned 1 [0067.784] CloseHandle (hObject=0x164) returned 1 [0067.784] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.784] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString=".doc") returned 4 [0067.785] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString=".docx") returned 5 [0067.785] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.785] lstrlenW (lpString=".pdf") returned 4 [0067.785] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString=".xls") returned 4 [0067.785] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString=".xlsx") returned 5 [0067.785] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.785] lstrlenW (lpString=".ppt") returned 4 [0067.785] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString=".zip") returned 4 [0067.785] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.785] lstrlenW (lpString=".rar") returned 4 [0067.785] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString=".bz2") returned 4 [0067.785] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString=".7z") returned 3 [0067.785] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString=".dbf") returned 4 [0067.785] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString=".1cd") returned 4 [0067.785] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.785] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.785] lstrlenW (lpString=".jpg") returned 4 [0067.786] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.786] lstrlenW (lpString=".doc") returned 4 [0067.786] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString=".docx") returned 5 [0067.786] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0067.786] lstrlenW (lpString=".pdf") returned 4 [0067.786] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString=".xls") returned 4 [0067.786] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString=".xlsx") returned 5 [0067.786] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0067.786] lstrlenW (lpString=".ppt") returned 4 [0067.786] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.786] lstrlenW (lpString=".zip") returned 4 [0067.786] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.786] lstrlenW (lpString=".rar") returned 4 [0067.786] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString=".bz2") returned 4 [0067.786] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString=".7z") returned 3 [0067.786] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.786] lstrlenW (lpString=".dbf") returned 4 [0067.786] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.786] lstrlenW (lpString=".1cd") returned 4 [0067.786] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.786] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0067.787] lstrlenW (lpString=".jpg") returned 4 [0067.787] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.787] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.787] lstrlenW (lpString="WordMUI.xml") returned 11 [0067.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.787] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1800) returned 1 [0067.787] CloseHandle (hObject=0x164) returned 1 [0067.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0067.787] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.787] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.787] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.788] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.788] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0067.788] GetLastError () returned 0x0 [0067.788] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x708, lpOverlapped=0x0) returned 1 [0067.966] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x710, lpOverlapped=0x0) returned 1 [0067.967] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0067.967] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0067.967] SetEndOfFile (hFile=0x1b0) returned 1 [0067.968] CloseHandle (hObject=0x1b0) returned 1 [0067.969] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.969] SetEndOfFile (hFile=0x164) returned 1 [0067.970] CloseHandle (hObject=0x164) returned 1 [0067.970] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0067.970] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0067.970] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.970] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.970] lstrlenW (lpString=".doc") returned 4 [0067.970] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.970] lstrlenW (lpString=".docx") returned 5 [0067.970] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.970] lstrlenW (lpString=".pdf") returned 4 [0067.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString=".xls") returned 4 [0067.971] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString=".xlsx") returned 5 [0067.971] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.971] lstrlenW (lpString=".ppt") returned 4 [0067.971] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString=".zip") returned 4 [0067.971] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.971] lstrlenW (lpString=".rar") returned 4 [0067.971] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString=".bz2") returned 4 [0067.971] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString=".7z") returned 3 [0067.971] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString=".dbf") returned 4 [0067.971] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString=".1cd") returned 4 [0067.971] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString=".jpg") returned 4 [0067.971] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.971] lstrlenW (lpString=".doc") returned 4 [0067.971] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0067.971] lstrlenW (lpString=".docx") returned 5 [0067.971] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0067.971] lstrlenW (lpString=".pdf") returned 4 [0067.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString=".xls") returned 4 [0067.972] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString=".xlsx") returned 5 [0067.972] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0067.972] lstrlenW (lpString=".ppt") returned 4 [0067.972] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.972] lstrlenW (lpString=".zip") returned 4 [0067.972] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0067.972] lstrlenW (lpString=".rar") returned 4 [0067.972] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString=".bz2") returned 4 [0067.972] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString=".7z") returned 3 [0067.972] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0067.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.972] lstrlenW (lpString=".dbf") returned 4 [0067.972] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.972] lstrlenW (lpString=".1cd") returned 4 [0067.972] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0067.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0067.972] lstrlenW (lpString=".jpg") returned 4 [0067.972] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0067.972] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0067.973] lstrlenW (lpString="Office32MUI.xml") returned 15 [0067.973] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.974] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1383) returned 1 [0067.974] CloseHandle (hObject=0x164) returned 1 [0067.974] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0067.974] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0067.974] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.974] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0067.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0067.975] GetLastError () returned 0x0 [0067.975] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x567, lpOverlapped=0x0) returned 1 [0068.039] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x570, lpOverlapped=0x0) returned 1 [0068.041] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.041] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0068.041] SetEndOfFile (hFile=0x1b0) returned 1 [0068.041] CloseHandle (hObject=0x1b0) returned 1 [0068.042] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.042] SetEndOfFile (hFile=0x164) returned 1 [0068.043] CloseHandle (hObject=0x164) returned 1 [0068.044] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.044] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0068.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.044] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.044] lstrlenW (lpString=".doc") returned 4 [0068.044] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.044] lstrlenW (lpString=".docx") returned 5 [0068.044] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.044] lstrlenW (lpString=".pdf") returned 4 [0068.044] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.044] lstrlenW (lpString=".xls") returned 4 [0068.045] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString=".xlsx") returned 5 [0068.045] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.045] lstrlenW (lpString=".ppt") returned 4 [0068.045] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString=".zip") returned 4 [0068.045] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.045] lstrlenW (lpString=".rar") returned 4 [0068.045] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString=".bz2") returned 4 [0068.045] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString=".7z") returned 3 [0068.045] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString=".dbf") returned 4 [0068.045] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString=".1cd") returned 4 [0068.045] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString=".jpg") returned 4 [0068.045] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.045] lstrlenW (lpString=".doc") returned 4 [0068.046] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString=".docx") returned 5 [0068.046] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.046] lstrlenW (lpString=".pdf") returned 4 [0068.046] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString=".xls") returned 4 [0068.046] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString=".xlsx") returned 5 [0068.046] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.046] lstrlenW (lpString=".ppt") returned 4 [0068.046] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.046] lstrlenW (lpString=".zip") returned 4 [0068.046] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.046] lstrlenW (lpString=".rar") returned 4 [0068.046] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString=".bz2") returned 4 [0068.046] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString=".7z") returned 3 [0068.046] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.046] lstrlenW (lpString=".dbf") returned 4 [0068.046] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.046] lstrlenW (lpString=".1cd") returned 4 [0068.046] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0068.047] lstrlenW (lpString=".jpg") returned 4 [0068.047] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.047] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.047] lstrlenW (lpString="Setup.xml") returned 9 [0068.047] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.048] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2362) returned 1 [0068.048] CloseHandle (hObject=0x164) returned 1 [0068.048] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0068.048] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0068.048] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.048] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0068.049] GetLastError () returned 0x0 [0068.049] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x93a, lpOverlapped=0x0) returned 1 [0068.131] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x940, lpOverlapped=0x0) returned 1 [0068.133] ReadFile (in: hFile=0x164, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.133] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0068.133] SetEndOfFile (hFile=0x1b0) returned 1 [0068.133] CloseHandle (hObject=0x1b0) returned 1 [0068.134] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.134] SetEndOfFile (hFile=0x164) returned 1 [0068.136] CloseHandle (hObject=0x164) returned 1 [0068.136] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.136] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0068.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.137] lstrlenW (lpString=".doc") returned 4 [0068.137] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString=".docx") returned 5 [0068.137] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.137] lstrlenW (lpString=".pdf") returned 4 [0068.137] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString=".xls") returned 4 [0068.137] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString=".xlsx") returned 5 [0068.137] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.137] lstrlenW (lpString=".ppt") returned 4 [0068.137] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.137] lstrlenW (lpString=".zip") returned 4 [0068.137] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.137] lstrlenW (lpString=".rar") returned 4 [0068.137] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString=".bz2") returned 4 [0068.137] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString=".7z") returned 3 [0068.137] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.137] lstrlenW (lpString=".dbf") returned 4 [0068.137] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.137] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.138] lstrlenW (lpString=".1cd") returned 4 [0068.138] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.138] lstrlenW (lpString=".jpg") returned 4 [0068.138] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.138] lstrlenW (lpString=".doc") returned 4 [0068.138] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString=".docx") returned 5 [0068.138] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.138] lstrlenW (lpString=".pdf") returned 4 [0068.138] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString=".xls") returned 4 [0068.138] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString=".xlsx") returned 5 [0068.138] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.138] lstrlenW (lpString=".ppt") returned 4 [0068.138] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.138] lstrlenW (lpString=".zip") returned 4 [0068.138] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.138] lstrlenW (lpString=".rar") returned 4 [0068.138] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.138] lstrlenW (lpString=".bz2") returned 4 [0068.138] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.139] lstrlenW (lpString=".7z") returned 3 [0068.139] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.139] lstrlenW (lpString=".dbf") returned 4 [0068.139] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.139] lstrlenW (lpString=".1cd") returned 4 [0068.139] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.139] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.139] lstrlenW (lpString=".jpg") returned 4 [0068.139] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.139] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.139] lstrlenW (lpString="Setup.xml") returned 9 [0068.139] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.180] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=6241) returned 1 [0068.180] CloseHandle (hObject=0x1f4) returned 1 [0068.180] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0068.180] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.181] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.181] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.183] GetLastError () returned 0x0 [0068.183] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x1861, lpOverlapped=0x0) returned 1 [0068.185] WriteFile (in: hFile=0x1f8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0068.186] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.186] WriteFile (in: hFile=0x1f8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0068.186] SetEndOfFile (hFile=0x1f8) returned 1 [0068.186] CloseHandle (hObject=0x1f8) returned 1 [0068.187] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.187] SetEndOfFile (hFile=0x1f4) returned 1 [0068.188] CloseHandle (hObject=0x1f4) returned 1 [0068.188] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.189] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0068.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.189] lstrlenW (lpString=".doc") returned 4 [0068.189] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString=".docx") returned 5 [0068.189] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.189] lstrlenW (lpString=".pdf") returned 4 [0068.189] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString=".xls") returned 4 [0068.189] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString=".xlsx") returned 5 [0068.189] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.189] lstrlenW (lpString=".ppt") returned 4 [0068.189] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.189] lstrlenW (lpString=".zip") returned 4 [0068.189] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.189] lstrlenW (lpString=".rar") returned 4 [0068.189] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString=".bz2") returned 4 [0068.189] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.189] lstrlenW (lpString=".7z") returned 3 [0068.189] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".dbf") returned 4 [0068.190] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".1cd") returned 4 [0068.190] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".jpg") returned 4 [0068.190] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".doc") returned 4 [0068.190] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString=".docx") returned 5 [0068.190] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0068.190] lstrlenW (lpString=".pdf") returned 4 [0068.190] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString=".xls") returned 4 [0068.190] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString=".xlsx") returned 5 [0068.190] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0068.190] lstrlenW (lpString=".ppt") returned 4 [0068.190] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".zip") returned 4 [0068.190] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.190] lstrlenW (lpString=".rar") returned 4 [0068.190] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString=".bz2") returned 4 [0068.190] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.190] lstrlenW (lpString=".7z") returned 3 [0068.190] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.190] lstrlenW (lpString=".dbf") returned 4 [0068.190] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.191] lstrlenW (lpString=".1cd") returned 4 [0068.191] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0068.191] lstrlenW (lpString=".jpg") returned 4 [0068.191] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.191] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.191] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0068.191] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.192] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1606) returned 1 [0068.192] CloseHandle (hObject=0x1f4) returned 1 [0068.192] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0068.192] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.192] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0068.192] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.192] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.192] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0068.193] GetLastError () returned 0x0 [0068.193] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x646, lpOverlapped=0x0) returned 1 [0068.195] WriteFile (in: hFile=0x1f8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x650, lpOverlapped=0x0) returned 1 [0068.196] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0068.196] WriteFile (in: hFile=0x1f8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0068.196] SetEndOfFile (hFile=0x1f8) returned 1 [0068.196] CloseHandle (hObject=0x1f8) returned 1 [0068.197] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.197] SetEndOfFile (hFile=0x1f4) returned 1 [0068.199] CloseHandle (hObject=0x1f4) returned 1 [0068.199] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0068.199] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0068.199] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.199] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.199] lstrlenW (lpString=".doc") returned 4 [0068.199] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.199] lstrlenW (lpString=".docx") returned 5 [0068.199] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.199] lstrlenW (lpString=".pdf") returned 4 [0068.199] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.199] lstrlenW (lpString=".xls") returned 4 [0068.199] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString=".xlsx") returned 5 [0068.200] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.200] lstrlenW (lpString=".ppt") returned 4 [0068.200] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString=".zip") returned 4 [0068.200] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.200] lstrlenW (lpString=".rar") returned 4 [0068.200] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString=".bz2") returned 4 [0068.200] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString=".7z") returned 3 [0068.200] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString=".dbf") returned 4 [0068.200] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString=".1cd") returned 4 [0068.200] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString=".jpg") returned 4 [0068.200] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.200] lstrlenW (lpString=".doc") returned 4 [0068.200] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString=".docx") returned 5 [0068.200] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0068.200] lstrlenW (lpString=".pdf") returned 4 [0068.200] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0068.200] lstrlenW (lpString=".xls") returned 4 [0068.201] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString=".xlsx") returned 5 [0068.201] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0068.201] lstrlenW (lpString=".ppt") returned 4 [0068.201] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.201] lstrlenW (lpString=".zip") returned 4 [0068.201] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0068.201] lstrlenW (lpString=".rar") returned 4 [0068.201] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString=".bz2") returned 4 [0068.201] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString=".7z") returned 3 [0068.201] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0068.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.201] lstrlenW (lpString=".dbf") returned 4 [0068.201] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.201] lstrlenW (lpString=".1cd") returned 4 [0068.201] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0068.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0068.201] lstrlenW (lpString=".jpg") returned 4 [0068.201] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0068.201] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0068.201] lstrlenW (lpString="Setup.xml") returned 9 [0068.201] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0069.359] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1988) returned 1 [0069.359] CloseHandle (hObject=0x1e0) returned 1 [0069.359] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0069.359] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.359] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0069.360] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.360] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.360] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0069.360] GetLastError () returned 0x0 [0069.360] ReadFile (in: hFile=0x1e0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0069.431] WriteFile (in: hFile=0x1e4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0069.432] ReadFile (in: hFile=0x1e0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.432] WriteFile (in: hFile=0x1e4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0069.438] SetEndOfFile (hFile=0x1e4) returned 1 [0069.441] CloseHandle (hObject=0x1e4) returned 1 [0069.442] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.442] SetEndOfFile (hFile=0x1e0) returned 1 [0069.443] CloseHandle (hObject=0x1e0) returned 1 [0069.443] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.444] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0069.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.444] lstrlenW (lpString=".doc") returned 4 [0069.444] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.444] lstrlenW (lpString=".docx") returned 5 [0069.444] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.444] lstrlenW (lpString=".pdf") returned 4 [0069.444] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.444] lstrlenW (lpString=".xls") returned 4 [0069.444] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.444] lstrlenW (lpString=".xlsx") returned 5 [0069.444] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.444] lstrlenW (lpString=".ppt") returned 4 [0069.444] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.444] lstrlenW (lpString=".zip") returned 4 [0069.444] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.444] lstrlenW (lpString=".rar") returned 4 [0069.445] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString=".bz2") returned 4 [0069.445] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString=".7z") returned 3 [0069.445] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.445] lstrlenW (lpString=".dbf") returned 4 [0069.445] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.445] lstrlenW (lpString=".1cd") returned 4 [0069.445] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.445] lstrlenW (lpString=".jpg") returned 4 [0069.445] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.445] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.445] lstrlenW (lpString=".doc") returned 4 [0069.445] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString=".docx") returned 5 [0069.445] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0069.445] lstrlenW (lpString=".pdf") returned 4 [0069.445] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString=".xls") returned 4 [0069.445] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.445] lstrlenW (lpString=".xlsx") returned 5 [0069.445] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0069.445] lstrlenW (lpString=".ppt") returned 4 [0069.446] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.446] lstrlenW (lpString=".zip") returned 4 [0069.446] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.446] lstrlenW (lpString=".rar") returned 4 [0069.446] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.446] lstrlenW (lpString=".bz2") returned 4 [0069.446] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.446] lstrlenW (lpString=".7z") returned 3 [0069.446] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.446] lstrlenW (lpString=".dbf") returned 4 [0069.446] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.446] lstrlenW (lpString=".1cd") returned 4 [0069.446] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.446] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0069.446] lstrlenW (lpString=".jpg") returned 4 [0069.446] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.446] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.446] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0069.446] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.538] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=5557) returned 1 [0069.538] CloseHandle (hObject=0x1f0) returned 1 [0069.538] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0069.538] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.538] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.538] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.538] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.538] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0069.538] GetLastError () returned 0x0 [0069.538] ReadFile (in: hFile=0x1f0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0069.580] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0069.581] ReadFile (in: hFile=0x1f0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.581] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0069.581] SetEndOfFile (hFile=0x1f4) returned 1 [0069.581] CloseHandle (hObject=0x1f4) returned 1 [0069.582] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.583] SetEndOfFile (hFile=0x1f0) returned 1 [0069.584] CloseHandle (hObject=0x1f0) returned 1 [0069.584] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.585] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0069.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.585] lstrlenW (lpString=".doc") returned 4 [0069.585] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.585] lstrlenW (lpString=".docx") returned 5 [0069.585] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.585] lstrlenW (lpString=".pdf") returned 4 [0069.585] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.585] lstrlenW (lpString=".xls") returned 4 [0069.585] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.585] lstrlenW (lpString=".xlsx") returned 5 [0069.585] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.585] lstrlenW (lpString=".ppt") returned 4 [0069.585] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.585] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.585] lstrlenW (lpString=".zip") returned 4 [0069.585] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.585] lstrlenW (lpString=".rar") returned 4 [0069.586] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString=".bz2") returned 4 [0069.586] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString=".7z") returned 3 [0069.586] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString=".dbf") returned 4 [0069.586] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString=".1cd") returned 4 [0069.586] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString=".jpg") returned 4 [0069.586] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString=".doc") returned 4 [0069.586] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString=".docx") returned 5 [0069.586] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.586] lstrlenW (lpString=".pdf") returned 4 [0069.586] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString=".xls") returned 4 [0069.586] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString=".xlsx") returned 5 [0069.586] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.586] lstrlenW (lpString=".ppt") returned 4 [0069.586] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.586] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.586] lstrlenW (lpString=".zip") returned 4 [0069.586] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.586] lstrlenW (lpString=".rar") returned 4 [0069.586] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.587] lstrlenW (lpString=".bz2") returned 4 [0069.587] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.587] lstrlenW (lpString=".7z") returned 3 [0069.587] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.587] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.587] lstrlenW (lpString=".dbf") returned 4 [0069.587] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.587] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.587] lstrlenW (lpString=".1cd") returned 4 [0069.587] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.587] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0069.587] lstrlenW (lpString=".jpg") returned 4 [0069.587] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.587] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.587] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0069.587] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.587] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=819) returned 1 [0069.587] CloseHandle (hObject=0x1f0) returned 1 [0069.588] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0069.588] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.588] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0069.588] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.588] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.588] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0069.588] GetLastError () returned 0x0 [0069.588] ReadFile (in: hFile=0x1f0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x333, lpOverlapped=0x0) returned 1 [0069.646] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0069.647] ReadFile (in: hFile=0x1f0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.647] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0069.647] SetEndOfFile (hFile=0x1f4) returned 1 [0069.647] CloseHandle (hObject=0x1f4) returned 1 [0069.648] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.648] SetEndOfFile (hFile=0x1f0) returned 1 [0069.649] CloseHandle (hObject=0x1f0) returned 1 [0069.649] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.650] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0069.650] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.650] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.650] lstrlenW (lpString=".doc") returned 4 [0069.650] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.650] lstrlenW (lpString=".docx") returned 5 [0069.650] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0069.650] lstrlenW (lpString=".pdf") returned 4 [0069.650] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.650] lstrlenW (lpString=".xls") returned 4 [0069.650] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.650] lstrlenW (lpString=".xlsx") returned 5 [0069.650] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0069.651] lstrlenW (lpString=".ppt") returned 4 [0069.651] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString=".zip") returned 4 [0069.651] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.651] lstrlenW (lpString=".rar") returned 4 [0069.651] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString=".bz2") returned 4 [0069.651] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString=".7z") returned 3 [0069.651] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString=".dbf") returned 4 [0069.651] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString=".1cd") returned 4 [0069.651] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString=".jpg") returned 4 [0069.651] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.651] lstrlenW (lpString=".doc") returned 4 [0069.651] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString=".docx") returned 5 [0069.651] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0069.651] lstrlenW (lpString=".pdf") returned 4 [0069.651] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString=".xls") returned 4 [0069.651] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.651] lstrlenW (lpString=".xlsx") returned 5 [0069.651] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0069.651] lstrlenW (lpString=".ppt") returned 4 [0069.651] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.652] lstrlenW (lpString=".zip") returned 4 [0069.652] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.652] lstrlenW (lpString=".rar") returned 4 [0069.652] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.652] lstrlenW (lpString=".bz2") returned 4 [0069.652] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.652] lstrlenW (lpString=".7z") returned 3 [0069.652] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.652] lstrlenW (lpString=".dbf") returned 4 [0069.652] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.652] lstrlenW (lpString=".1cd") returned 4 [0069.652] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.652] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0069.652] lstrlenW (lpString=".jpg") returned 4 [0069.652] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.652] lstrcmpiW (lpString1=".chm", lpString2=".mnbzr") returned -1 [0069.652] lstrlenW (lpString="pss10r.chm") returned 10 [0069.652] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.668] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=27195) returned 1 [0069.668] CloseHandle (hObject=0x1c8) returned 1 [0069.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0069.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.668] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.668] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.669] GetLastError () returned 0x0 [0069.669] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0069.676] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0069.677] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.677] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0069.677] SetEndOfFile (hFile=0x204) returned 1 [0069.678] CloseHandle (hObject=0x204) returned 1 [0069.682] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.682] SetEndOfFile (hFile=0x1c8) returned 1 [0069.683] CloseHandle (hObject=0x1c8) returned 1 [0069.683] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.683] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0069.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.683] lstrlenW (lpString=".doc") returned 4 [0069.683] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0069.683] lstrlenW (lpString=".docx") returned 5 [0069.683] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0069.683] lstrlenW (lpString=".pdf") returned 4 [0069.683] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0069.683] lstrlenW (lpString=".xls") returned 4 [0069.684] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString=".xlsx") returned 5 [0069.684] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0069.684] lstrlenW (lpString=".ppt") returned 4 [0069.684] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString=".zip") returned 4 [0069.684] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString=".rar") returned 4 [0069.684] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString=".bz2") returned 4 [0069.684] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0069.684] lstrlenW (lpString=".7z") returned 3 [0069.684] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString=".dbf") returned 4 [0069.684] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString=".1cd") returned 4 [0069.684] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString=".jpg") returned 4 [0069.684] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.684] lstrlenW (lpString=".doc") returned 4 [0069.684] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString=".docx") returned 5 [0069.684] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0069.684] lstrlenW (lpString=".pdf") returned 4 [0069.684] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0069.684] lstrlenW (lpString=".xls") returned 4 [0069.684] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0069.685] lstrlenW (lpString=".xlsx") returned 5 [0069.685] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0069.685] lstrlenW (lpString=".ppt") returned 4 [0069.685] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0069.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.685] lstrlenW (lpString=".zip") returned 4 [0069.685] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0069.685] lstrlenW (lpString=".rar") returned 4 [0069.685] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0069.685] lstrlenW (lpString=".bz2") returned 4 [0069.685] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0069.685] lstrlenW (lpString=".7z") returned 3 [0069.685] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0069.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.685] lstrlenW (lpString=".dbf") returned 4 [0069.685] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0069.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.685] lstrlenW (lpString=".1cd") returned 4 [0069.685] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0069.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0069.685] lstrlenW (lpString=".jpg") returned 4 [0069.686] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0069.686] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.686] lstrlenW (lpString="AccessMUI.xml") returned 13 [0069.686] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.688] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1349) returned 1 [0069.688] CloseHandle (hObject=0x1c8) returned 1 [0069.688] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0069.688] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.688] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.688] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.688] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.688] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.689] GetLastError () returned 0x0 [0069.689] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x545, lpOverlapped=0x0) returned 1 [0069.694] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0069.695] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0069.695] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0069.695] SetEndOfFile (hFile=0x204) returned 1 [0069.696] CloseHandle (hObject=0x204) returned 1 [0069.696] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.696] SetEndOfFile (hFile=0x1c8) returned 1 [0069.697] CloseHandle (hObject=0x1c8) returned 1 [0069.697] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0069.698] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0069.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.698] lstrlenW (lpString=".doc") returned 4 [0069.698] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.698] lstrlenW (lpString=".docx") returned 5 [0069.698] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.698] lstrlenW (lpString=".pdf") returned 4 [0069.698] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.698] lstrlenW (lpString=".xls") returned 4 [0069.698] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.698] lstrlenW (lpString=".xlsx") returned 5 [0069.698] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.698] lstrlenW (lpString=".ppt") returned 4 [0069.698] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.698] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.698] lstrlenW (lpString=".zip") returned 4 [0069.698] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.698] lstrlenW (lpString=".rar") returned 4 [0069.698] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString=".bz2") returned 4 [0069.699] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString=".7z") returned 3 [0069.699] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString=".dbf") returned 4 [0069.699] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString=".1cd") returned 4 [0069.699] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString=".jpg") returned 4 [0069.699] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString=".doc") returned 4 [0069.699] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString=".docx") returned 5 [0069.699] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0069.699] lstrlenW (lpString=".pdf") returned 4 [0069.699] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString=".xls") returned 4 [0069.699] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString=".xlsx") returned 5 [0069.699] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0069.699] lstrlenW (lpString=".ppt") returned 4 [0069.699] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0069.699] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.699] lstrlenW (lpString=".zip") returned 4 [0069.699] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0069.699] lstrlenW (lpString=".rar") returned 4 [0069.699] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0069.700] lstrlenW (lpString=".bz2") returned 4 [0069.700] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0069.700] lstrlenW (lpString=".7z") returned 3 [0069.700] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0069.700] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.700] lstrlenW (lpString=".dbf") returned 4 [0069.700] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0069.700] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.700] lstrlenW (lpString=".1cd") returned 4 [0069.700] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0069.700] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0069.700] lstrlenW (lpString=".jpg") returned 4 [0069.700] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0069.700] lstrcmpiW (lpString1=".xml", lpString2=".mnbzr") returned 1 [0069.700] lstrlenW (lpString="branding.xml") returned 12 [0069.700] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.701] GetFileSizeEx (in: hFile=0x1c8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=596341) returned 1 [0069.701] CloseHandle (hObject=0x1c8) returned 1 [0069.701] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0069.701] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0069.701] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0069.701] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.701] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.701] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0069.702] GetLastError () returned 0x0 [0069.702] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x91975, lpOverlapped=0x0) returned 1 [0070.705] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0070.721] ReadFile (in: hFile=0x1c8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0070.721] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0070.721] SetEndOfFile (hFile=0x204) returned 1 [0070.721] CloseHandle (hObject=0x204) returned 1 [0071.104] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.104] SetEndOfFile (hFile=0x1c8) returned 1 [0071.111] CloseHandle (hObject=0x1c8) returned 1 [0071.111] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.112] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0071.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.112] lstrlenW (lpString=".doc") returned 4 [0071.112] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.112] lstrlenW (lpString=".docx") returned 5 [0071.112] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0071.112] lstrlenW (lpString=".pdf") returned 4 [0071.112] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.112] lstrlenW (lpString=".xls") returned 4 [0071.112] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.112] lstrlenW (lpString=".xlsx") returned 5 [0071.112] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0071.112] lstrlenW (lpString=".ppt") returned 4 [0071.113] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.113] lstrlenW (lpString=".zip") returned 4 [0071.113] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.113] lstrlenW (lpString=".rar") returned 4 [0071.113] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString=".bz2") returned 4 [0071.114] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString=".7z") returned 3 [0071.114] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.114] lstrlenW (lpString=".dbf") returned 4 [0071.114] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.114] lstrlenW (lpString=".1cd") returned 4 [0071.114] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.114] lstrlenW (lpString=".jpg") returned 4 [0071.114] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.114] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.114] lstrlenW (lpString=".doc") returned 4 [0071.114] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString=".docx") returned 5 [0071.114] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0071.114] lstrlenW (lpString=".pdf") returned 4 [0071.114] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0071.114] lstrlenW (lpString=".xls") returned 4 [0071.115] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString=".xlsx") returned 5 [0071.115] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0071.115] lstrlenW (lpString=".ppt") returned 4 [0071.115] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.115] lstrlenW (lpString=".zip") returned 4 [0071.115] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0071.115] lstrlenW (lpString=".rar") returned 4 [0071.115] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString=".bz2") returned 4 [0071.115] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString=".7z") returned 3 [0071.115] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0071.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.115] lstrlenW (lpString=".dbf") returned 4 [0071.115] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.115] lstrlenW (lpString=".1cd") returned 4 [0071.115] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0071.115] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0071.115] lstrlenW (lpString=".jpg") returned 4 [0071.115] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0071.116] lstrcmpiW (lpString1=".EPS", lpString2=".mnbzr") returned -1 [0071.116] lstrlenW (lpString="MS.EPS") returned 6 [0071.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0071.178] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=15067) returned 1 [0071.178] CloseHandle (hObject=0x204) returned 1 [0071.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0071.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0071.179] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.179] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0071.179] GetLastError () returned 0x0 [0071.179] ReadFile (in: hFile=0x204, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0071.197] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0071.198] ReadFile (in: hFile=0x204, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0071.198] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0071.198] SetEndOfFile (hFile=0x1d4) returned 1 [0071.199] CloseHandle (hObject=0x1d4) returned 1 [0071.202] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.202] SetEndOfFile (hFile=0x204) returned 1 [0071.203] CloseHandle (hObject=0x204) returned 1 [0071.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0071.203] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0071.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.204] lstrlenW (lpString=".doc") returned 4 [0071.204] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0071.204] lstrlenW (lpString=".docx") returned 5 [0071.204] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0071.204] lstrlenW (lpString=".pdf") returned 4 [0071.204] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0071.204] lstrlenW (lpString=".xls") returned 4 [0071.204] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0071.204] lstrlenW (lpString=".xlsx") returned 5 [0071.204] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0071.204] lstrlenW (lpString=".ppt") returned 4 [0071.204] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0071.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.204] lstrlenW (lpString=".zip") returned 4 [0071.204] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0071.204] lstrlenW (lpString=".rar") returned 4 [0071.204] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0071.204] lstrlenW (lpString=".bz2") returned 4 [0071.204] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0071.204] lstrlenW (lpString=".7z") returned 3 [0071.204] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0071.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.204] lstrlenW (lpString=".dbf") returned 4 [0071.204] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0071.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.205] lstrlenW (lpString=".1cd") returned 4 [0071.205] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0071.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.205] lstrlenW (lpString=".jpg") returned 4 [0071.205] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0071.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.205] lstrlenW (lpString=".doc") returned 4 [0071.205] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0071.205] lstrlenW (lpString=".docx") returned 5 [0071.205] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0071.205] lstrlenW (lpString=".pdf") returned 4 [0071.205] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0071.205] lstrlenW (lpString=".xls") returned 4 [0071.205] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0071.205] lstrlenW (lpString=".xlsx") returned 5 [0071.205] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0071.205] lstrlenW (lpString=".ppt") returned 4 [0071.205] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0071.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.494] lstrlenW (lpString=".zip") returned 4 [0071.495] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0071.495] lstrlenW (lpString=".rar") returned 4 [0071.495] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0071.495] lstrlenW (lpString=".bz2") returned 4 [0071.495] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0071.495] lstrlenW (lpString=".7z") returned 3 [0071.495] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0071.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.495] lstrlenW (lpString=".dbf") returned 4 [0071.495] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0071.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.495] lstrlenW (lpString=".1cd") returned 4 [0071.495] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0071.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0071.495] lstrlenW (lpString=".jpg") returned 4 [0071.495] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0071.495] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.495] lstrlenW (lpString="boxed-correct.avi") returned 17 [0071.495] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.767] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=89600) returned 1 [0071.767] CloseHandle (hObject=0x1ec) returned 1 [0071.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0071.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString=".doc") returned 4 [0071.768] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".docx") returned 5 [0071.768] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.768] lstrlenW (lpString=".pdf") returned 4 [0071.768] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".xls") returned 4 [0071.768] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".xlsx") returned 5 [0071.768] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.768] lstrlenW (lpString=".ppt") returned 4 [0071.768] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString=".zip") returned 4 [0071.768] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".rar") returned 4 [0071.768] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".bz2") returned 4 [0071.768] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString=".7z") returned 3 [0071.768] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString=".dbf") returned 4 [0071.768] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString=".1cd") returned 4 [0071.768] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.768] lstrlenW (lpString=".jpg") returned 4 [0071.769] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString=".doc") returned 4 [0071.769] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".docx") returned 5 [0071.769] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.769] lstrlenW (lpString=".pdf") returned 4 [0071.769] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".xls") returned 4 [0071.769] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".xlsx") returned 5 [0071.769] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.769] lstrlenW (lpString=".ppt") returned 4 [0071.769] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString=".zip") returned 4 [0071.769] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".rar") returned 4 [0071.769] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".bz2") returned 4 [0071.769] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString=".7z") returned 3 [0071.769] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString=".dbf") returned 4 [0071.769] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString=".1cd") returned 4 [0071.769] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0071.769] lstrlenW (lpString=".jpg") returned 4 [0071.769] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.770] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.770] lstrlenW (lpString="boxed-join.avi") returned 14 [0071.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.770] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=33280) returned 1 [0071.770] CloseHandle (hObject=0x1ec) returned 1 [0071.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0071.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.770] lstrlenW (lpString=".doc") returned 4 [0071.770] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.770] lstrlenW (lpString=".docx") returned 5 [0071.770] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0071.770] lstrlenW (lpString=".pdf") returned 4 [0071.770] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".xls") returned 4 [0071.771] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".xlsx") returned 5 [0071.771] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0071.771] lstrlenW (lpString=".ppt") returned 4 [0071.771] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString=".zip") returned 4 [0071.771] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".rar") returned 4 [0071.771] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".bz2") returned 4 [0071.771] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".7z") returned 3 [0071.771] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString=".dbf") returned 4 [0071.771] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString=".1cd") returned 4 [0071.771] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString=".jpg") returned 4 [0071.771] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.771] lstrlenW (lpString=".doc") returned 4 [0071.771] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".docx") returned 5 [0071.771] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0071.771] lstrlenW (lpString=".pdf") returned 4 [0071.771] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".xls") returned 4 [0071.771] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.771] lstrlenW (lpString=".xlsx") returned 5 [0071.772] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0071.772] lstrlenW (lpString=".ppt") returned 4 [0071.772] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.772] lstrlenW (lpString=".zip") returned 4 [0071.772] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.772] lstrlenW (lpString=".rar") returned 4 [0071.772] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.772] lstrlenW (lpString=".bz2") returned 4 [0071.772] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.772] lstrlenW (lpString=".7z") returned 3 [0071.772] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.772] lstrlenW (lpString=".dbf") returned 4 [0071.772] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.772] lstrlenW (lpString=".1cd") returned 4 [0071.772] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0071.772] lstrlenW (lpString=".jpg") returned 4 [0071.772] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.772] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.772] lstrlenW (lpString="boxed-split.avi") returned 15 [0071.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.773] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=62976) returned 1 [0071.773] CloseHandle (hObject=0x1ec) returned 1 [0071.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0071.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.773] lstrlenW (lpString=".doc") returned 4 [0071.773] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".docx") returned 5 [0071.773] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.773] lstrlenW (lpString=".pdf") returned 4 [0071.773] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".xls") returned 4 [0071.773] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".xlsx") returned 5 [0071.773] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.773] lstrlenW (lpString=".ppt") returned 4 [0071.773] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.773] lstrlenW (lpString=".zip") returned 4 [0071.773] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".rar") returned 4 [0071.773] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".bz2") returned 4 [0071.773] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.773] lstrlenW (lpString=".7z") returned 3 [0071.773] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".dbf") returned 4 [0071.774] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".1cd") returned 4 [0071.774] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".jpg") returned 4 [0071.774] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".doc") returned 4 [0071.774] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".docx") returned 5 [0071.774] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.774] lstrlenW (lpString=".pdf") returned 4 [0071.774] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".xls") returned 4 [0071.774] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".xlsx") returned 5 [0071.774] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.774] lstrlenW (lpString=".ppt") returned 4 [0071.774] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".zip") returned 4 [0071.774] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".rar") returned 4 [0071.774] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".bz2") returned 4 [0071.774] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.774] lstrlenW (lpString=".7z") returned 3 [0071.774] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.774] lstrlenW (lpString=".dbf") returned 4 [0071.775] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.775] lstrlenW (lpString=".1cd") returned 4 [0071.775] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0071.775] lstrlenW (lpString=".jpg") returned 4 [0071.775] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.775] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.775] lstrlenW (lpString="correct.avi") returned 11 [0071.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.775] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=197120) returned 1 [0071.775] CloseHandle (hObject=0x1ec) returned 1 [0071.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0071.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.775] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".doc") returned 4 [0071.776] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".docx") returned 5 [0071.776] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.776] lstrlenW (lpString=".pdf") returned 4 [0071.776] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".xls") returned 4 [0071.776] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".xlsx") returned 5 [0071.776] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.776] lstrlenW (lpString=".ppt") returned 4 [0071.776] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".zip") returned 4 [0071.776] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".rar") returned 4 [0071.776] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".bz2") returned 4 [0071.776] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString=".7z") returned 3 [0071.776] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".dbf") returned 4 [0071.776] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".1cd") returned 4 [0071.776] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".jpg") returned 4 [0071.776] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.776] lstrlenW (lpString=".doc") returned 4 [0071.776] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".docx") returned 5 [0071.777] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0071.777] lstrlenW (lpString=".pdf") returned 4 [0071.777] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".xls") returned 4 [0071.777] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".xlsx") returned 5 [0071.777] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0071.777] lstrlenW (lpString=".ppt") returned 4 [0071.777] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.777] lstrlenW (lpString=".zip") returned 4 [0071.777] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".rar") returned 4 [0071.777] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".bz2") returned 4 [0071.777] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString=".7z") returned 3 [0071.777] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.777] lstrlenW (lpString=".dbf") returned 4 [0071.777] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.777] lstrlenW (lpString=".1cd") returned 4 [0071.777] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0071.777] lstrlenW (lpString=".jpg") returned 4 [0071.777] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.777] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.777] lstrlenW (lpString="delete.avi") returned 10 [0071.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.778] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=224256) returned 1 [0071.778] CloseHandle (hObject=0x1ec) returned 1 [0071.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0071.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString=".doc") returned 4 [0071.779] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".docx") returned 5 [0071.779] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0071.779] lstrlenW (lpString=".pdf") returned 4 [0071.779] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".xls") returned 4 [0071.779] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".xlsx") returned 5 [0071.779] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0071.779] lstrlenW (lpString=".ppt") returned 4 [0071.779] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString=".zip") returned 4 [0071.779] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".rar") returned 4 [0071.779] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".bz2") returned 4 [0071.779] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString=".7z") returned 3 [0071.779] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString=".dbf") returned 4 [0071.779] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString=".1cd") returned 4 [0071.779] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.779] lstrlenW (lpString=".jpg") returned 4 [0071.780] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString=".doc") returned 4 [0071.780] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".docx") returned 5 [0071.780] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0071.780] lstrlenW (lpString=".pdf") returned 4 [0071.780] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".xls") returned 4 [0071.780] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".xlsx") returned 5 [0071.780] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0071.780] lstrlenW (lpString=".ppt") returned 4 [0071.780] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString=".zip") returned 4 [0071.780] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".rar") returned 4 [0071.780] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".bz2") returned 4 [0071.780] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString=".7z") returned 3 [0071.780] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString=".dbf") returned 4 [0071.780] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString=".1cd") returned 4 [0071.780] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0071.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0071.780] lstrlenW (lpString=".jpg") returned 4 [0071.780] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0071.781] lstrcmpiW (lpString1=".avi", lpString2=".mnbzr") returned -1 [0071.781] lstrlenW (lpString="join.avi") returned 8 [0071.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0071.781] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=222208) returned 1 [0071.781] CloseHandle (hObject=0x1ec) returned 1 [0071.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0071.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0071.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0071.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0071.781] lstrlenW (lpString=".doc") returned 4 [0071.781] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0071.781] lstrlenW (lpString=".docx") returned 5 [0071.781] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0071.781] lstrlenW (lpString=".pdf") returned 4 [0071.781] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0071.781] lstrlenW (lpString=".xls") returned 4 [0071.781] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0071.781] lstrlenW (lpString=".xlsx") returned 5 [0071.781] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0071.782] lstrlenW (lpString=".ppt") returned 4 [0071.782] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0071.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0071.782] lstrlenW (lpString=".zip") returned 4 [0071.782] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0071.782] lstrlenW (lpString=".rar") returned 4 [0071.782] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0071.782] lstrlenW (lpString=".bz2") returned 4 [0071.782] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0071.782] lstrlenW (lpString=".7z") returned 3 [0071.782] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0071.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0071.782] lstrlenW (lpString=".dbf") returned 4 [0071.782] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0072.503] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0072.922] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.922] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0072.923] GetLastError () returned 0x0 [0072.923] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x795, lpOverlapped=0x0) returned 1 [0072.925] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0072.926] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0072.926] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0072.926] SetEndOfFile (hFile=0x204) returned 1 [0072.926] CloseHandle (hObject=0x204) returned 1 [0072.927] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.927] SetEndOfFile (hFile=0x1ec) returned 1 [0072.928] CloseHandle (hObject=0x1ec) returned 1 [0072.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0072.928] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0072.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.929] lstrlenW (lpString=".doc") returned 4 [0072.929] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0072.929] lstrlenW (lpString=".docx") returned 5 [0072.929] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0072.929] lstrlenW (lpString=".pdf") returned 4 [0072.929] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0072.929] lstrlenW (lpString=".xls") returned 4 [0072.929] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0072.929] lstrlenW (lpString=".xlsx") returned 5 [0072.929] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0072.929] lstrlenW (lpString=".ppt") returned 4 [0072.929] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0072.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.929] lstrlenW (lpString=".zip") returned 4 [0072.929] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0072.929] lstrlenW (lpString=".rar") returned 4 [0072.929] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0072.929] lstrlenW (lpString=".bz2") returned 4 [0072.929] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0072.929] lstrlenW (lpString=".7z") returned 3 [0072.929] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0072.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.929] lstrlenW (lpString=".dbf") returned 4 [0072.929] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0072.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString=".1cd") returned 4 [0072.930] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0072.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString=".jpg") returned 4 [0072.930] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString=".doc") returned 4 [0072.930] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0072.930] lstrlenW (lpString=".docx") returned 5 [0072.930] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0072.930] lstrlenW (lpString=".pdf") returned 4 [0072.930] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString=".xls") returned 4 [0072.930] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString=".xlsx") returned 5 [0072.930] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0072.930] lstrlenW (lpString=".ppt") returned 4 [0072.930] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString=".zip") returned 4 [0072.930] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString=".rar") returned 4 [0072.930] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0072.930] lstrlenW (lpString=".bz2") returned 4 [0072.930] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0072.930] lstrlenW (lpString=".7z") returned 3 [0072.930] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0072.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.930] lstrlenW (lpString=".dbf") returned 4 [0072.930] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0072.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.931] lstrlenW (lpString=".1cd") returned 4 [0072.931] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0072.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0072.931] lstrlenW (lpString=".jpg") returned 4 [0072.931] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0072.931] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0072.931] lstrlenW (lpString="AccessMUI.XML") returned 13 [0072.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.932] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1349) returned 1 [0072.932] CloseHandle (hObject=0x1ec) returned 1 [0072.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0072.932] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.932] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.933] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0072.933] GetLastError () returned 0x0 [0072.933] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x545, lpOverlapped=0x0) returned 1 [0072.938] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0072.939] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0072.939] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0072.939] SetEndOfFile (hFile=0x204) returned 1 [0072.939] CloseHandle (hObject=0x204) returned 1 [0072.940] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.940] SetEndOfFile (hFile=0x1ec) returned 1 [0072.941] CloseHandle (hObject=0x1ec) returned 1 [0072.941] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0072.941] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0072.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.941] lstrlenW (lpString=".doc") returned 4 [0072.941] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0072.941] lstrlenW (lpString=".docx") returned 5 [0072.942] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0072.942] lstrlenW (lpString=".pdf") returned 4 [0072.942] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString=".xls") returned 4 [0072.942] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString=".xlsx") returned 5 [0072.942] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0072.942] lstrlenW (lpString=".ppt") returned 4 [0072.942] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString=".zip") returned 4 [0072.942] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0072.942] lstrlenW (lpString=".rar") returned 4 [0072.942] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString=".bz2") returned 4 [0072.942] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString=".7z") returned 3 [0072.942] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString=".dbf") returned 4 [0072.942] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString=".1cd") returned 4 [0072.942] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString=".jpg") returned 4 [0072.942] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.942] lstrlenW (lpString=".doc") returned 4 [0072.942] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0072.942] lstrlenW (lpString=".docx") returned 5 [0072.942] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0072.943] lstrlenW (lpString=".pdf") returned 4 [0072.943] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString=".xls") returned 4 [0072.943] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString=".xlsx") returned 5 [0072.943] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0072.943] lstrlenW (lpString=".ppt") returned 4 [0072.943] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.943] lstrlenW (lpString=".zip") returned 4 [0072.943] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0072.943] lstrlenW (lpString=".rar") returned 4 [0072.943] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString=".bz2") returned 4 [0072.943] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString=".7z") returned 3 [0072.943] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0072.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.943] lstrlenW (lpString=".dbf") returned 4 [0072.943] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.943] lstrlenW (lpString=".1cd") returned 4 [0072.943] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0072.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0072.943] lstrlenW (lpString=".jpg") returned 4 [0072.943] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0072.943] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0072.943] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0072.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.944] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=819) returned 1 [0072.944] CloseHandle (hObject=0x1ec) returned 1 [0072.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0072.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.945] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.945] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0072.945] GetLastError () returned 0x0 [0072.945] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x333, lpOverlapped=0x0) returned 1 [0072.947] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0072.948] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0072.948] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0072.948] SetEndOfFile (hFile=0x204) returned 1 [0072.948] CloseHandle (hObject=0x204) returned 1 [0072.949] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.949] SetEndOfFile (hFile=0x1ec) returned 1 [0072.950] CloseHandle (hObject=0x1ec) returned 1 [0072.950] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0072.950] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0072.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".doc") returned 4 [0072.951] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString=".docx") returned 5 [0072.951] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0072.951] lstrlenW (lpString=".pdf") returned 4 [0072.951] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString=".xls") returned 4 [0072.951] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString=".xlsx") returned 5 [0072.951] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0072.951] lstrlenW (lpString=".ppt") returned 4 [0072.951] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".zip") returned 4 [0072.951] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0072.951] lstrlenW (lpString=".rar") returned 4 [0072.951] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString=".bz2") returned 4 [0072.951] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString=".7z") returned 3 [0072.951] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".dbf") returned 4 [0072.951] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".1cd") returned 4 [0072.951] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".jpg") returned 4 [0072.951] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.951] lstrlenW (lpString=".doc") returned 4 [0072.951] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString=".docx") returned 5 [0072.952] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0072.952] lstrlenW (lpString=".pdf") returned 4 [0072.952] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString=".xls") returned 4 [0072.952] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString=".xlsx") returned 5 [0072.952] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0072.952] lstrlenW (lpString=".ppt") returned 4 [0072.952] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.952] lstrlenW (lpString=".zip") returned 4 [0072.952] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0072.952] lstrlenW (lpString=".rar") returned 4 [0072.952] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString=".bz2") returned 4 [0072.952] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString=".7z") returned 3 [0072.952] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0072.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.952] lstrlenW (lpString=".dbf") returned 4 [0072.952] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.952] lstrlenW (lpString=".1cd") returned 4 [0072.952] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0072.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0072.952] lstrlenW (lpString=".jpg") returned 4 [0072.952] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0072.952] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0072.953] lstrlenW (lpString="SETUP.XML") returned 9 [0072.953] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.954] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2624) returned 1 [0072.954] CloseHandle (hObject=0x1ec) returned 1 [0072.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0072.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0072.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0072.954] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.954] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0072.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0072.955] GetLastError () returned 0x0 [0072.955] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xa40, lpOverlapped=0x0) returned 1 [0073.165] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0073.167] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.167] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0073.168] SetEndOfFile (hFile=0x204) returned 1 [0073.168] CloseHandle (hObject=0x204) returned 1 [0073.169] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.169] SetEndOfFile (hFile=0x1ec) returned 1 [0073.170] CloseHandle (hObject=0x1ec) returned 1 [0073.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.170] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0073.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.171] lstrlenW (lpString=".doc") returned 4 [0073.171] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString=".docx") returned 5 [0073.171] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.171] lstrlenW (lpString=".pdf") returned 4 [0073.171] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString=".xls") returned 4 [0073.171] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString=".xlsx") returned 5 [0073.171] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.171] lstrlenW (lpString=".ppt") returned 4 [0073.171] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.171] lstrlenW (lpString=".zip") returned 4 [0073.171] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.171] lstrlenW (lpString=".rar") returned 4 [0073.171] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString=".bz2") returned 4 [0073.171] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.171] lstrlenW (lpString=".7z") returned 3 [0073.171] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString=".dbf") returned 4 [0073.172] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString=".1cd") returned 4 [0073.172] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString=".jpg") returned 4 [0073.172] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString=".doc") returned 4 [0073.172] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString=".docx") returned 5 [0073.172] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.172] lstrlenW (lpString=".pdf") returned 4 [0073.172] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString=".xls") returned 4 [0073.172] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString=".xlsx") returned 5 [0073.172] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.172] lstrlenW (lpString=".ppt") returned 4 [0073.172] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.172] lstrlenW (lpString=".zip") returned 4 [0073.172] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.173] lstrlenW (lpString=".rar") returned 4 [0073.173] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.173] lstrlenW (lpString=".bz2") returned 4 [0073.173] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.173] lstrlenW (lpString=".7z") returned 3 [0073.173] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.173] lstrlenW (lpString=".dbf") returned 4 [0073.173] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.173] lstrlenW (lpString=".1cd") returned 4 [0073.173] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0073.173] lstrlenW (lpString=".jpg") returned 4 [0073.173] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.173] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.173] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0073.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.174] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=913) returned 1 [0073.174] CloseHandle (hObject=0x1ec) returned 1 [0073.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0073.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.174] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.174] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0073.182] GetLastError () returned 0x0 [0073.182] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x391, lpOverlapped=0x0) returned 1 [0073.329] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0073.350] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.350] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0073.351] SetEndOfFile (hFile=0x204) returned 1 [0073.351] CloseHandle (hObject=0x204) returned 1 [0073.355] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.357] SetEndOfFile (hFile=0x1ec) returned 1 [0073.358] CloseHandle (hObject=0x1ec) returned 1 [0073.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.358] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0073.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.359] lstrlenW (lpString=".doc") returned 4 [0073.359] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.359] lstrlenW (lpString=".docx") returned 5 [0073.359] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0073.359] lstrlenW (lpString=".pdf") returned 4 [0073.359] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.359] lstrlenW (lpString=".xls") returned 4 [0073.359] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.359] lstrlenW (lpString=".xlsx") returned 5 [0073.359] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0073.359] lstrlenW (lpString=".ppt") returned 4 [0073.359] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.359] lstrlenW (lpString=".zip") returned 4 [0073.359] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.359] lstrlenW (lpString=".rar") returned 4 [0073.359] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.359] lstrlenW (lpString=".bz2") returned 4 [0073.360] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString=".7z") returned 3 [0073.360] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.360] lstrlenW (lpString=".dbf") returned 4 [0073.360] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.360] lstrlenW (lpString=".1cd") returned 4 [0073.360] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.360] lstrlenW (lpString=".jpg") returned 4 [0073.360] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.360] lstrlenW (lpString=".doc") returned 4 [0073.360] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString=".docx") returned 5 [0073.360] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0073.360] lstrlenW (lpString=".pdf") returned 4 [0073.360] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString=".xls") returned 4 [0073.360] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.360] lstrlenW (lpString=".xlsx") returned 5 [0073.360] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0073.360] lstrlenW (lpString=".ppt") returned 4 [0073.360] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.361] lstrlenW (lpString=".zip") returned 4 [0073.361] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.361] lstrlenW (lpString=".rar") returned 4 [0073.361] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.361] lstrlenW (lpString=".bz2") returned 4 [0073.361] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.361] lstrlenW (lpString=".7z") returned 3 [0073.361] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.361] lstrlenW (lpString=".dbf") returned 4 [0073.361] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.361] lstrlenW (lpString=".1cd") returned 4 [0073.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0073.361] lstrlenW (lpString=".jpg") returned 4 [0073.361] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.361] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0073.361] lstrlenW (lpString="SETUP.XML") returned 9 [0073.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.466] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1452) returned 1 [0073.466] CloseHandle (hObject=0x1ec) returned 1 [0073.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0073.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0073.467] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.467] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0073.468] GetLastError () returned 0x0 [0073.468] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0073.532] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0073.534] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0073.534] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0073.534] SetEndOfFile (hFile=0x204) returned 1 [0073.534] CloseHandle (hObject=0x204) returned 1 [0073.541] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0073.541] SetEndOfFile (hFile=0x1ec) returned 1 [0073.542] CloseHandle (hObject=0x1ec) returned 1 [0073.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0073.543] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0073.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.543] lstrlenW (lpString=".doc") returned 4 [0073.543] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.543] lstrlenW (lpString=".docx") returned 5 [0073.543] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.543] lstrlenW (lpString=".pdf") returned 4 [0073.543] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.543] lstrlenW (lpString=".xls") returned 4 [0073.543] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.543] lstrlenW (lpString=".xlsx") returned 5 [0073.543] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.543] lstrlenW (lpString=".ppt") returned 4 [0073.543] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString=".zip") returned 4 [0073.544] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.544] lstrlenW (lpString=".rar") returned 4 [0073.544] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString=".bz2") returned 4 [0073.544] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString=".7z") returned 3 [0073.544] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString=".dbf") returned 4 [0073.544] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString=".1cd") returned 4 [0073.544] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString=".jpg") returned 4 [0073.544] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.544] lstrlenW (lpString=".doc") returned 4 [0073.544] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0073.544] lstrlenW (lpString=".docx") returned 5 [0073.544] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0073.544] lstrlenW (lpString=".pdf") returned 4 [0073.545] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString=".xls") returned 4 [0073.545] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString=".xlsx") returned 5 [0073.545] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0073.545] lstrlenW (lpString=".ppt") returned 4 [0073.545] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.545] lstrlenW (lpString=".zip") returned 4 [0073.545] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0073.545] lstrlenW (lpString=".rar") returned 4 [0073.545] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString=".bz2") returned 4 [0073.545] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString=".7z") returned 3 [0073.545] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0073.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.545] lstrlenW (lpString=".dbf") returned 4 [0073.545] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0073.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.964] lstrlenW (lpString=".1cd") returned 4 [0073.964] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0073.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0073.964] lstrlenW (lpString=".jpg") returned 4 [0073.964] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0073.964] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0073.964] lstrlenW (lpString="OCT.CHM") returned 7 [0073.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0074.016] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=71236) returned 1 [0074.016] CloseHandle (hObject=0x1d4) returned 1 [0074.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0074.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0074.016] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.016] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0074.155] GetLastError () returned 0x0 [0074.155] ReadFile (in: hFile=0x1d4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x11644, lpOverlapped=0x0) returned 1 [0074.175] WriteFile (in: hFile=0x1c8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x11650, lpOverlapped=0x0) returned 1 [0074.178] ReadFile (in: hFile=0x1d4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.178] WriteFile (in: hFile=0x1c8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0074.178] SetEndOfFile (hFile=0x1c8) returned 1 [0074.179] CloseHandle (hObject=0x1c8) returned 1 [0074.186] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.186] SetEndOfFile (hFile=0x1d4) returned 1 [0074.187] CloseHandle (hObject=0x1d4) returned 1 [0074.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.188] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0074.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.188] lstrlenW (lpString=".doc") returned 4 [0074.188] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.188] lstrlenW (lpString=".docx") returned 5 [0074.188] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0074.188] lstrlenW (lpString=".pdf") returned 4 [0074.188] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.188] lstrlenW (lpString=".xls") returned 4 [0074.188] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.188] lstrlenW (lpString=".xlsx") returned 5 [0074.188] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0074.188] lstrlenW (lpString=".ppt") returned 4 [0074.188] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.188] lstrlenW (lpString=".zip") returned 4 [0074.188] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.188] lstrlenW (lpString=".rar") returned 4 [0074.189] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString=".bz2") returned 4 [0074.189] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.189] lstrlenW (lpString=".7z") returned 3 [0074.189] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString=".dbf") returned 4 [0074.189] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString=".1cd") returned 4 [0074.189] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString=".jpg") returned 4 [0074.189] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString=".doc") returned 4 [0074.189] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString=".docx") returned 5 [0074.189] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0074.189] lstrlenW (lpString=".pdf") returned 4 [0074.189] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString=".xls") returned 4 [0074.189] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString=".xlsx") returned 5 [0074.189] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0074.189] lstrlenW (lpString=".ppt") returned 4 [0074.189] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.189] lstrlenW (lpString=".zip") returned 4 [0074.189] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.189] lstrlenW (lpString=".rar") returned 4 [0074.189] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.190] lstrlenW (lpString=".bz2") returned 4 [0074.190] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.190] lstrlenW (lpString=".7z") returned 3 [0074.190] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.190] lstrlenW (lpString=".dbf") returned 4 [0074.190] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.190] lstrlenW (lpString=".1cd") returned 4 [0074.190] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.190] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0074.190] lstrlenW (lpString=".jpg") returned 4 [0074.190] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.311] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0074.311] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0074.311] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0074.312] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=819) returned 1 [0074.312] CloseHandle (hObject=0x208) returned 1 [0074.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0074.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0074.312] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.312] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0074.313] GetLastError () returned 0x0 [0074.313] ReadFile (in: hFile=0x208, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x333, lpOverlapped=0x0) returned 1 [0074.317] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0074.319] ReadFile (in: hFile=0x208, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.319] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0074.319] SetEndOfFile (hFile=0x1d4) returned 1 [0074.319] CloseHandle (hObject=0x1d4) returned 1 [0074.321] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.321] SetEndOfFile (hFile=0x208) returned 1 [0074.322] CloseHandle (hObject=0x208) returned 1 [0074.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.323] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0074.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.323] lstrlenW (lpString=".doc") returned 4 [0074.323] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.323] lstrlenW (lpString=".docx") returned 5 [0074.323] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0074.323] lstrlenW (lpString=".pdf") returned 4 [0074.323] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.323] lstrlenW (lpString=".xls") returned 4 [0074.323] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.323] lstrlenW (lpString=".xlsx") returned 5 [0074.323] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0074.324] lstrlenW (lpString=".ppt") returned 4 [0074.324] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString=".zip") returned 4 [0074.324] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.324] lstrlenW (lpString=".rar") returned 4 [0074.324] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString=".bz2") returned 4 [0074.324] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString=".7z") returned 3 [0074.324] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString=".dbf") returned 4 [0074.324] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString=".1cd") returned 4 [0074.324] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString=".jpg") returned 4 [0074.324] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.324] lstrlenW (lpString=".doc") returned 4 [0074.324] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0074.324] lstrlenW (lpString=".docx") returned 5 [0074.324] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0074.325] lstrlenW (lpString=".pdf") returned 4 [0074.325] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0074.325] lstrlenW (lpString=".xls") returned 4 [0074.325] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0074.325] lstrlenW (lpString=".xlsx") returned 5 [0074.325] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0074.325] lstrlenW (lpString=".ppt") returned 4 [0074.325] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0074.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.325] lstrlenW (lpString=".zip") returned 4 [0074.325] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0074.325] lstrlenW (lpString=".rar") returned 4 [0074.325] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0074.325] lstrlenW (lpString=".bz2") returned 4 [0074.325] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0074.325] lstrlenW (lpString=".7z") returned 3 [0074.325] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0074.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.325] lstrlenW (lpString=".dbf") returned 4 [0074.325] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0074.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.326] lstrlenW (lpString=".1cd") returned 4 [0074.326] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0074.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0074.326] lstrlenW (lpString=".jpg") returned 4 [0074.326] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0074.326] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0074.326] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0074.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0074.327] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=37689) returned 1 [0074.327] CloseHandle (hObject=0x208) returned 1 [0074.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0074.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.327] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0074.328] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.328] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.328] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0074.328] GetLastError () returned 0x0 [0074.328] ReadFile (in: hFile=0x208, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x9339, lpOverlapped=0x0) returned 1 [0074.347] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x9340, lpOverlapped=0x0) returned 1 [0074.349] ReadFile (in: hFile=0x208, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0074.349] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0074.349] SetEndOfFile (hFile=0x1d4) returned 1 [0074.349] CloseHandle (hObject=0x1d4) returned 1 [0074.351] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.351] SetEndOfFile (hFile=0x208) returned 1 [0074.355] CloseHandle (hObject=0x208) returned 1 [0074.355] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0074.356] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0074.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.356] lstrlenW (lpString=".doc") returned 4 [0074.356] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.356] lstrlenW (lpString=".docx") returned 5 [0074.356] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0074.356] lstrlenW (lpString=".pdf") returned 4 [0074.356] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.581] lstrlenW (lpString=".xls") returned 4 [0074.581] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.581] lstrlenW (lpString=".xlsx") returned 5 [0074.581] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0074.581] lstrlenW (lpString=".ppt") returned 4 [0074.581] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.581] lstrlenW (lpString=".zip") returned 4 [0074.581] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.581] lstrlenW (lpString=".rar") returned 4 [0074.581] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.581] lstrlenW (lpString=".bz2") returned 4 [0074.582] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.582] lstrlenW (lpString=".7z") returned 3 [0074.582] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString=".dbf") returned 4 [0074.582] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString=".1cd") returned 4 [0074.582] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString=".jpg") returned 4 [0074.582] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString=".doc") returned 4 [0074.582] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString=".docx") returned 5 [0074.582] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0074.582] lstrlenW (lpString=".pdf") returned 4 [0074.582] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString=".xls") returned 4 [0074.582] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString=".xlsx") returned 5 [0074.582] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0074.582] lstrlenW (lpString=".ppt") returned 4 [0074.582] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.582] lstrlenW (lpString=".zip") returned 4 [0074.582] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString=".rar") returned 4 [0074.582] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0074.582] lstrlenW (lpString=".bz2") returned 4 [0074.582] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0074.582] lstrlenW (lpString=".7z") returned 3 [0074.582] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0074.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.583] lstrlenW (lpString=".dbf") returned 4 [0074.583] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0074.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.583] lstrlenW (lpString=".1cd") returned 4 [0074.583] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0074.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0074.583] lstrlenW (lpString=".jpg") returned 4 [0074.583] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0074.583] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0074.583] lstrlenW (lpString="Office32MUI.XML") returned 15 [0074.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0074.750] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1383) returned 1 [0074.750] CloseHandle (hObject=0x1b8) returned 1 [0074.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0074.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0074.750] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.750] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0075.653] GetLastError () returned 0x0 [0075.653] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x567, lpOverlapped=0x0) returned 1 [0075.801] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x570, lpOverlapped=0x0) returned 1 [0075.802] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0075.802] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0075.802] SetEndOfFile (hFile=0x1b0) returned 1 [0075.802] CloseHandle (hObject=0x1b0) returned 1 [0075.803] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.803] SetEndOfFile (hFile=0x1b8) returned 1 [0075.804] CloseHandle (hObject=0x1b8) returned 1 [0075.804] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0075.805] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0075.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.806] lstrlenW (lpString=".doc") returned 4 [0075.806] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString=".docx") returned 5 [0075.806] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.806] lstrlenW (lpString=".pdf") returned 4 [0075.806] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString=".xls") returned 4 [0075.806] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString=".xlsx") returned 5 [0075.806] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.806] lstrlenW (lpString=".ppt") returned 4 [0075.806] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.806] lstrlenW (lpString=".zip") returned 4 [0075.806] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.806] lstrlenW (lpString=".rar") returned 4 [0075.806] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString=".bz2") returned 4 [0075.806] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString=".7z") returned 3 [0075.806] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.806] lstrlenW (lpString=".dbf") returned 4 [0075.806] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.806] lstrlenW (lpString=".1cd") returned 4 [0075.806] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.807] lstrlenW (lpString=".jpg") returned 4 [0075.807] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.807] lstrlenW (lpString=".doc") returned 4 [0075.807] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0075.807] lstrlenW (lpString=".docx") returned 5 [0075.807] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0075.807] lstrlenW (lpString=".pdf") returned 4 [0075.807] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0075.807] lstrlenW (lpString=".xls") returned 4 [0075.807] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0075.807] lstrlenW (lpString=".xlsx") returned 5 [0075.807] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0075.807] lstrlenW (lpString=".ppt") returned 4 [0075.807] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0075.807] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.807] lstrlenW (lpString=".zip") returned 4 [0075.807] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0075.807] lstrlenW (lpString=".rar") returned 4 [0075.808] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0075.808] lstrlenW (lpString=".bz2") returned 4 [0075.808] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0075.808] lstrlenW (lpString=".7z") returned 3 [0075.808] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0075.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.808] lstrlenW (lpString=".dbf") returned 4 [0075.808] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0075.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.808] lstrlenW (lpString=".1cd") returned 4 [0075.808] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0075.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0075.808] lstrlenW (lpString=".jpg") returned 4 [0075.808] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0075.892] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0075.892] lstrlenW (lpString="SETUP.XML") returned 9 [0075.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.814] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1886) returned 1 [0077.814] CloseHandle (hObject=0x1b8) returned 1 [0077.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0077.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.814] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.814] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0077.815] GetLastError () returned 0x0 [0077.815] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x75e, lpOverlapped=0x0) returned 1 [0077.905] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x760, lpOverlapped=0x0) returned 1 [0077.906] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.906] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.906] SetEndOfFile (hFile=0x1f0) returned 1 [0077.906] CloseHandle (hObject=0x1f0) returned 1 [0077.909] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.909] SetEndOfFile (hFile=0x1b8) returned 1 [0077.910] CloseHandle (hObject=0x1b8) returned 1 [0077.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.910] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString=".doc") returned 4 [0077.911] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString=".docx") returned 5 [0077.911] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0077.911] lstrlenW (lpString=".pdf") returned 4 [0077.911] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString=".xls") returned 4 [0077.911] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString=".xlsx") returned 5 [0077.911] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0077.911] lstrlenW (lpString=".ppt") returned 4 [0077.911] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString=".zip") returned 4 [0077.911] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.911] lstrlenW (lpString=".rar") returned 4 [0077.911] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString=".bz2") returned 4 [0077.911] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString=".7z") returned 3 [0077.911] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString=".dbf") returned 4 [0077.911] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString=".1cd") returned 4 [0077.911] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.911] lstrlenW (lpString=".jpg") returned 4 [0077.912] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.912] lstrlenW (lpString=".doc") returned 4 [0077.912] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString=".docx") returned 5 [0077.912] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0077.912] lstrlenW (lpString=".pdf") returned 4 [0077.912] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString=".xls") returned 4 [0077.912] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString=".xlsx") returned 5 [0077.912] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0077.912] lstrlenW (lpString=".ppt") returned 4 [0077.912] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.912] lstrlenW (lpString=".zip") returned 4 [0077.912] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.912] lstrlenW (lpString=".rar") returned 4 [0077.912] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString=".bz2") returned 4 [0077.912] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString=".7z") returned 3 [0077.912] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.912] lstrlenW (lpString=".dbf") returned 4 [0077.912] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.912] lstrlenW (lpString=".1cd") returned 4 [0077.912] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0077.913] lstrlenW (lpString=".jpg") returned 4 [0077.913] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.913] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.913] lstrlenW (lpString="Proofing.XML") returned 12 [0077.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.922] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=811) returned 1 [0077.922] CloseHandle (hObject=0x1b8) returned 1 [0077.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0077.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.922] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.923] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0077.923] GetLastError () returned 0x0 [0077.923] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x32b, lpOverlapped=0x0) returned 1 [0077.933] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x330, lpOverlapped=0x0) returned 1 [0077.934] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0077.934] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0077.934] SetEndOfFile (hFile=0x1f0) returned 1 [0077.934] CloseHandle (hObject=0x1f0) returned 1 [0077.935] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.935] SetEndOfFile (hFile=0x1b8) returned 1 [0077.936] CloseHandle (hObject=0x1b8) returned 1 [0077.936] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0077.937] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0077.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.937] lstrlenW (lpString=".doc") returned 4 [0077.937] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString=".docx") returned 5 [0077.937] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0077.937] lstrlenW (lpString=".pdf") returned 4 [0077.937] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString=".xls") returned 4 [0077.937] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString=".xlsx") returned 5 [0077.937] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0077.937] lstrlenW (lpString=".ppt") returned 4 [0077.937] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.937] lstrlenW (lpString=".zip") returned 4 [0077.937] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.937] lstrlenW (lpString=".rar") returned 4 [0077.937] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString=".bz2") returned 4 [0077.937] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.937] lstrlenW (lpString=".7z") returned 3 [0077.937] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.937] lstrlenW (lpString=".dbf") returned 4 [0077.938] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString=".1cd") returned 4 [0077.938] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString=".jpg") returned 4 [0077.938] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString=".doc") returned 4 [0077.938] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString=".docx") returned 5 [0077.938] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0077.938] lstrlenW (lpString=".pdf") returned 4 [0077.938] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString=".xls") returned 4 [0077.938] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString=".xlsx") returned 5 [0077.938] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0077.938] lstrlenW (lpString=".ppt") returned 4 [0077.938] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString=".zip") returned 4 [0077.938] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0077.938] lstrlenW (lpString=".rar") returned 4 [0077.938] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString=".bz2") returned 4 [0077.938] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0077.938] lstrlenW (lpString=".7z") returned 3 [0077.938] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0077.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.938] lstrlenW (lpString=".dbf") returned 4 [0077.938] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0077.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.939] lstrlenW (lpString=".1cd") returned 4 [0077.939] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0077.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0077.939] lstrlenW (lpString=".jpg") returned 4 [0077.939] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0077.939] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0077.939] lstrlenW (lpString="SETUP.XML") returned 9 [0077.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.939] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=5884) returned 1 [0077.939] CloseHandle (hObject=0x1b8) returned 1 [0077.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0077.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0077.940] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.940] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0077.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0078.024] GetLastError () returned 0x0 [0078.024] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0078.122] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0078.123] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.123] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.123] SetEndOfFile (hFile=0x1f0) returned 1 [0078.123] CloseHandle (hObject=0x1f0) returned 1 [0078.124] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.124] SetEndOfFile (hFile=0x1b8) returned 1 [0078.125] CloseHandle (hObject=0x1b8) returned 1 [0078.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.125] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0078.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.125] lstrlenW (lpString=".doc") returned 4 [0078.125] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.125] lstrlenW (lpString=".docx") returned 5 [0078.125] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.125] lstrlenW (lpString=".pdf") returned 4 [0078.125] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.125] lstrlenW (lpString=".xls") returned 4 [0078.126] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".xlsx") returned 5 [0078.126] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.126] lstrlenW (lpString=".ppt") returned 4 [0078.126] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString=".zip") returned 4 [0078.126] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.126] lstrlenW (lpString=".rar") returned 4 [0078.126] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".bz2") returned 4 [0078.126] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".7z") returned 3 [0078.126] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString=".dbf") returned 4 [0078.126] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString=".1cd") returned 4 [0078.126] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString=".jpg") returned 4 [0078.126] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.126] lstrlenW (lpString=".doc") returned 4 [0078.126] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".docx") returned 5 [0078.126] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.126] lstrlenW (lpString=".pdf") returned 4 [0078.126] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".xls") returned 4 [0078.126] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.126] lstrlenW (lpString=".xlsx") returned 5 [0078.126] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.127] lstrlenW (lpString=".ppt") returned 4 [0078.127] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.127] lstrlenW (lpString=".zip") returned 4 [0078.127] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.127] lstrlenW (lpString=".rar") returned 4 [0078.127] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.127] lstrlenW (lpString=".bz2") returned 4 [0078.127] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.127] lstrlenW (lpString=".7z") returned 3 [0078.127] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.127] lstrlenW (lpString=".dbf") returned 4 [0078.127] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.127] lstrlenW (lpString=".1cd") returned 4 [0078.127] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0078.127] lstrlenW (lpString=".jpg") returned 4 [0078.127] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.127] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.127] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0078.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.133] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=16852) returned 1 [0078.133] CloseHandle (hObject=0x1b8) returned 1 [0078.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0078.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.133] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.133] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0078.134] GetLastError () returned 0x0 [0078.134] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0078.135] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0078.137] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.137] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0078.137] SetEndOfFile (hFile=0x1f0) returned 1 [0078.137] CloseHandle (hObject=0x1f0) returned 1 [0078.138] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.138] SetEndOfFile (hFile=0x1b8) returned 1 [0078.139] CloseHandle (hObject=0x1b8) returned 1 [0078.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.139] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString=".doc") returned 4 [0078.140] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString=".docx") returned 5 [0078.140] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0078.140] lstrlenW (lpString=".pdf") returned 4 [0078.140] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString=".xls") returned 4 [0078.140] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString=".xlsx") returned 5 [0078.140] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0078.140] lstrlenW (lpString=".ppt") returned 4 [0078.140] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString=".zip") returned 4 [0078.140] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.140] lstrlenW (lpString=".rar") returned 4 [0078.140] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString=".bz2") returned 4 [0078.140] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString=".7z") returned 3 [0078.140] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString=".dbf") returned 4 [0078.140] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString=".1cd") returned 4 [0078.140] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.140] lstrlenW (lpString=".jpg") returned 4 [0078.140] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString=".doc") returned 4 [0078.141] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString=".docx") returned 5 [0078.141] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0078.141] lstrlenW (lpString=".pdf") returned 4 [0078.141] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString=".xls") returned 4 [0078.141] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString=".xlsx") returned 5 [0078.141] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0078.141] lstrlenW (lpString=".ppt") returned 4 [0078.141] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString=".zip") returned 4 [0078.141] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.141] lstrlenW (lpString=".rar") returned 4 [0078.141] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString=".bz2") returned 4 [0078.141] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString=".7z") returned 3 [0078.141] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString=".dbf") returned 4 [0078.141] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString=".1cd") returned 4 [0078.141] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0078.141] lstrlenW (lpString=".jpg") returned 4 [0078.141] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.142] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.142] lstrlenW (lpString="SETUP.XML") returned 9 [0078.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.142] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=31094) returned 1 [0078.142] CloseHandle (hObject=0x1b8) returned 1 [0078.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0078.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.142] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.143] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0078.145] GetLastError () returned 0x0 [0078.145] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x7976, lpOverlapped=0x0) returned 1 [0078.147] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0078.148] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.148] WriteFile (in: hFile=0x1f0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.148] SetEndOfFile (hFile=0x1f0) returned 1 [0078.149] CloseHandle (hObject=0x1f0) returned 1 [0078.156] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.156] SetEndOfFile (hFile=0x1b8) returned 1 [0078.157] CloseHandle (hObject=0x1b8) returned 1 [0078.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.158] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0078.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.158] lstrlenW (lpString=".doc") returned 4 [0078.158] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString=".docx") returned 5 [0078.158] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.158] lstrlenW (lpString=".pdf") returned 4 [0078.158] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString=".xls") returned 4 [0078.158] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString=".xlsx") returned 5 [0078.158] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.158] lstrlenW (lpString=".ppt") returned 4 [0078.158] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.158] lstrlenW (lpString=".zip") returned 4 [0078.158] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.158] lstrlenW (lpString=".rar") returned 4 [0078.158] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString=".bz2") returned 4 [0078.158] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.158] lstrlenW (lpString=".7z") returned 3 [0078.158] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.158] lstrlenW (lpString=".dbf") returned 4 [0078.159] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString=".1cd") returned 4 [0078.159] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString=".jpg") returned 4 [0078.159] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString=".doc") returned 4 [0078.159] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString=".docx") returned 5 [0078.159] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0078.159] lstrlenW (lpString=".pdf") returned 4 [0078.159] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString=".xls") returned 4 [0078.159] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString=".xlsx") returned 5 [0078.159] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0078.159] lstrlenW (lpString=".ppt") returned 4 [0078.159] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString=".zip") returned 4 [0078.159] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.159] lstrlenW (lpString=".rar") returned 4 [0078.159] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString=".bz2") returned 4 [0078.159] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.159] lstrlenW (lpString=".7z") returned 3 [0078.159] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.159] lstrlenW (lpString=".dbf") returned 4 [0078.159] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.160] lstrlenW (lpString=".1cd") returned 4 [0078.160] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0078.160] lstrlenW (lpString=".jpg") returned 4 [0078.160] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.160] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.160] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0078.160] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.160] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1450) returned 1 [0078.160] CloseHandle (hObject=0x1b8) returned 1 [0078.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0078.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0078.161] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.161] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0078.368] GetLastError () returned 0x0 [0078.368] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0078.374] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0078.375] ReadFile (in: hFile=0x1b8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0078.375] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0078.376] SetEndOfFile (hFile=0x204) returned 1 [0078.376] CloseHandle (hObject=0x204) returned 1 [0078.381] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.381] SetEndOfFile (hFile=0x1b8) returned 1 [0078.382] CloseHandle (hObject=0x1b8) returned 1 [0078.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0078.383] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0078.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.383] lstrlenW (lpString=".doc") returned 4 [0078.383] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.383] lstrlenW (lpString=".docx") returned 5 [0078.383] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0078.383] lstrlenW (lpString=".pdf") returned 4 [0078.383] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.383] lstrlenW (lpString=".xls") returned 4 [0078.384] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString=".xlsx") returned 5 [0078.384] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0078.384] lstrlenW (lpString=".ppt") returned 4 [0078.384] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.384] lstrlenW (lpString=".zip") returned 4 [0078.384] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.384] lstrlenW (lpString=".rar") returned 4 [0078.384] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString=".bz2") returned 4 [0078.384] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString=".7z") returned 3 [0078.384] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.384] lstrlenW (lpString=".dbf") returned 4 [0078.384] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.384] lstrlenW (lpString=".1cd") returned 4 [0078.384] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.384] lstrlenW (lpString=".jpg") returned 4 [0078.384] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.385] lstrlenW (lpString=".doc") returned 4 [0078.385] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString=".docx") returned 5 [0078.385] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0078.385] lstrlenW (lpString=".pdf") returned 4 [0078.385] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString=".xls") returned 4 [0078.385] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString=".xlsx") returned 5 [0078.385] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0078.385] lstrlenW (lpString=".ppt") returned 4 [0078.385] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.385] lstrlenW (lpString=".zip") returned 4 [0078.385] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0078.385] lstrlenW (lpString=".rar") returned 4 [0078.385] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString=".bz2") returned 4 [0078.385] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString=".7z") returned 3 [0078.385] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0078.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.385] lstrlenW (lpString=".dbf") returned 4 [0078.385] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.385] lstrlenW (lpString=".1cd") returned 4 [0078.385] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0078.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0078.385] lstrlenW (lpString=".jpg") returned 4 [0078.386] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0078.386] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0078.386] lstrlenW (lpString="SETUP.XML") returned 9 [0078.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0079.224] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=20577) returned 1 [0079.224] CloseHandle (hObject=0x1b0) returned 1 [0079.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0079.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0079.225] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.225] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0079.596] GetLastError () returned 0x0 [0079.596] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x5061, lpOverlapped=0x0) returned 1 [0079.677] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0079.680] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0079.680] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0079.681] SetEndOfFile (hFile=0x1cc) returned 1 [0079.681] CloseHandle (hObject=0x1cc) returned 1 [0079.682] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.682] SetEndOfFile (hFile=0x1b0) returned 1 [0079.683] CloseHandle (hObject=0x1b0) returned 1 [0079.683] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.684] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0079.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.684] lstrlenW (lpString=".doc") returned 4 [0079.684] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.684] lstrlenW (lpString=".docx") returned 5 [0079.684] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0079.684] lstrlenW (lpString=".pdf") returned 4 [0079.684] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.684] lstrlenW (lpString=".xls") returned 4 [0079.684] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.684] lstrlenW (lpString=".xlsx") returned 5 [0079.684] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0079.684] lstrlenW (lpString=".ppt") returned 4 [0079.684] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString=".zip") returned 4 [0079.685] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.685] lstrlenW (lpString=".rar") returned 4 [0079.685] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString=".bz2") returned 4 [0079.685] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString=".7z") returned 3 [0079.685] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString=".dbf") returned 4 [0079.685] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString=".1cd") returned 4 [0079.685] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString=".jpg") returned 4 [0079.685] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.685] lstrlenW (lpString=".doc") returned 4 [0079.685] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString=".docx") returned 5 [0079.685] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0079.685] lstrlenW (lpString=".pdf") returned 4 [0079.685] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.685] lstrlenW (lpString=".xls") returned 4 [0079.686] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString=".xlsx") returned 5 [0079.686] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0079.686] lstrlenW (lpString=".ppt") returned 4 [0079.686] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.686] lstrlenW (lpString=".zip") returned 4 [0079.686] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.686] lstrlenW (lpString=".rar") returned 4 [0079.686] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString=".bz2") returned 4 [0079.686] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString=".7z") returned 3 [0079.686] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.686] lstrlenW (lpString=".dbf") returned 4 [0079.686] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.686] lstrlenW (lpString=".1cd") returned 4 [0079.686] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0079.686] lstrlenW (lpString=".jpg") returned 4 [0079.686] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.686] lstrcmpiW (lpString1=".XML", lpString2=".mnbzr") returned 1 [0079.687] lstrlenW (lpString="TIME.XML") returned 8 [0079.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0079.687] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=8564) returned 1 [0079.687] CloseHandle (hObject=0x1b0) returned 1 [0079.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0079.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0079.687] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.688] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0079.688] GetLastError () returned 0x0 [0079.688] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x2174, lpOverlapped=0x0) returned 1 [0079.902] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0079.904] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0079.904] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0079.904] SetEndOfFile (hFile=0x1cc) returned 1 [0079.904] CloseHandle (hObject=0x1cc) returned 1 [0079.905] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.905] SetEndOfFile (hFile=0x1b0) returned 1 [0079.907] CloseHandle (hObject=0x1b0) returned 1 [0079.907] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0079.907] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0079.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.907] lstrlenW (lpString=".doc") returned 4 [0079.907] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.907] lstrlenW (lpString=".docx") returned 5 [0079.907] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0079.908] lstrlenW (lpString=".pdf") returned 4 [0079.908] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString=".xls") returned 4 [0079.908] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString=".xlsx") returned 5 [0079.908] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0079.908] lstrlenW (lpString=".ppt") returned 4 [0079.908] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.908] lstrlenW (lpString=".zip") returned 4 [0079.908] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.908] lstrlenW (lpString=".rar") returned 4 [0079.908] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString=".bz2") returned 4 [0079.908] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString=".7z") returned 3 [0079.908] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.908] lstrlenW (lpString=".dbf") returned 4 [0079.908] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.908] lstrlenW (lpString=".1cd") returned 4 [0079.908] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.908] lstrlenW (lpString=".jpg") returned 4 [0079.908] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.909] lstrlenW (lpString=".doc") returned 4 [0079.909] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString=".docx") returned 5 [0079.909] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0079.909] lstrlenW (lpString=".pdf") returned 4 [0079.909] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString=".xls") returned 4 [0079.909] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString=".xlsx") returned 5 [0079.909] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0079.909] lstrlenW (lpString=".ppt") returned 4 [0079.909] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.909] lstrlenW (lpString=".zip") returned 4 [0079.909] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0079.909] lstrlenW (lpString=".rar") returned 4 [0079.909] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString=".bz2") returned 4 [0079.909] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString=".7z") returned 3 [0079.909] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0079.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.909] lstrlenW (lpString=".dbf") returned 4 [0079.909] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0079.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.910] lstrlenW (lpString=".1cd") returned 4 [0079.910] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0079.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0079.910] lstrlenW (lpString=".jpg") returned 4 [0079.910] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0080.037] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0080.037] lstrlenW (lpString="Bears.jpg") returned 9 [0080.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.037] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1074) returned 1 [0080.037] CloseHandle (hObject=0x1b0) returned 1 [0080.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0080.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.038] lstrlenW (lpString=".doc") returned 4 [0080.038] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.038] lstrlenW (lpString=".docx") returned 5 [0080.038] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0080.038] lstrlenW (lpString=".pdf") returned 4 [0080.038] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.038] lstrlenW (lpString=".xls") returned 4 [0080.038] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.038] lstrlenW (lpString=".xlsx") returned 5 [0080.038] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0080.038] lstrlenW (lpString=".ppt") returned 4 [0080.038] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.038] lstrlenW (lpString=".zip") returned 4 [0080.038] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.038] lstrlenW (lpString=".rar") returned 4 [0080.038] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.039] lstrlenW (lpString=".bz2") returned 4 [0080.039] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.039] lstrlenW (lpString=".7z") returned 3 [0080.039] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.039] lstrlenW (lpString=".dbf") returned 4 [0080.039] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.039] lstrlenW (lpString=".1cd") returned 4 [0080.039] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.039] lstrlenW (lpString=".jpg") returned 4 [0080.039] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.039] lstrlenW (lpString=".doc") returned 4 [0080.039] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.039] lstrlenW (lpString=".docx") returned 5 [0080.039] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0080.039] lstrlenW (lpString=".pdf") returned 4 [0080.039] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.039] lstrlenW (lpString=".xls") returned 4 [0080.039] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.039] lstrlenW (lpString=".xlsx") returned 5 [0080.039] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0080.039] lstrlenW (lpString=".ppt") returned 4 [0080.039] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.040] lstrlenW (lpString=".zip") returned 4 [0080.040] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.040] lstrlenW (lpString=".rar") returned 4 [0080.040] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.040] lstrlenW (lpString=".bz2") returned 4 [0080.040] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.040] lstrlenW (lpString=".7z") returned 3 [0080.040] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.040] lstrlenW (lpString=".dbf") returned 4 [0080.040] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.040] lstrlenW (lpString=".1cd") returned 4 [0080.040] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0080.040] lstrlenW (lpString=".jpg") returned 4 [0080.040] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.040] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0080.040] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0080.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.041] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2575) returned 1 [0080.041] CloseHandle (hObject=0x1b0) returned 1 [0080.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0080.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.042] lstrlenW (lpString=".doc") returned 4 [0080.042] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.042] lstrlenW (lpString=".docx") returned 5 [0080.042] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0080.042] lstrlenW (lpString=".pdf") returned 4 [0080.042] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.042] lstrlenW (lpString=".xls") returned 4 [0080.042] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.042] lstrlenW (lpString=".xlsx") returned 5 [0080.042] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0080.042] lstrlenW (lpString=".ppt") returned 4 [0080.042] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.042] lstrlenW (lpString=".zip") returned 4 [0080.042] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.042] lstrlenW (lpString=".rar") returned 4 [0080.042] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.042] lstrlenW (lpString=".bz2") returned 4 [0080.042] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.042] lstrlenW (lpString=".7z") returned 3 [0080.042] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString=".dbf") returned 4 [0080.043] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString=".1cd") returned 4 [0080.043] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString=".jpg") returned 4 [0080.043] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString=".doc") returned 4 [0080.043] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.043] lstrlenW (lpString=".docx") returned 5 [0080.043] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0080.043] lstrlenW (lpString=".pdf") returned 4 [0080.043] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.043] lstrlenW (lpString=".xls") returned 4 [0080.043] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.043] lstrlenW (lpString=".xlsx") returned 5 [0080.043] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0080.043] lstrlenW (lpString=".ppt") returned 4 [0080.043] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.043] lstrlenW (lpString=".zip") returned 4 [0080.043] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.043] lstrlenW (lpString=".rar") returned 4 [0080.043] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.044] lstrlenW (lpString=".bz2") returned 4 [0080.044] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.044] lstrlenW (lpString=".7z") returned 3 [0080.044] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.044] lstrlenW (lpString=".dbf") returned 4 [0080.044] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.044] lstrlenW (lpString=".1cd") returned 4 [0080.044] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.044] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0080.044] lstrlenW (lpString=".jpg") returned 4 [0080.044] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.044] lstrcmpiW (lpString1=".gif", lpString2=".mnbzr") returned -1 [0080.044] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0080.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.045] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=4587) returned 1 [0080.045] CloseHandle (hObject=0x1b0) returned 1 [0080.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0080.045] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.045] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.045] lstrlenW (lpString=".doc") returned 4 [0080.045] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0080.045] lstrlenW (lpString=".docx") returned 5 [0080.045] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0080.045] lstrlenW (lpString=".pdf") returned 4 [0080.045] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0080.045] lstrlenW (lpString=".xls") returned 4 [0080.045] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0080.045] lstrlenW (lpString=".xlsx") returned 5 [0080.045] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0080.045] lstrlenW (lpString=".ppt") returned 4 [0080.045] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0080.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.045] lstrlenW (lpString=".zip") returned 4 [0080.046] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0080.046] lstrlenW (lpString=".rar") returned 4 [0080.046] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0080.046] lstrlenW (lpString=".bz2") returned 4 [0080.046] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0080.046] lstrlenW (lpString=".7z") returned 3 [0080.046] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0080.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.046] lstrlenW (lpString=".dbf") returned 4 [0080.046] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0080.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.046] lstrlenW (lpString=".1cd") returned 4 [0080.046] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0080.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.046] lstrlenW (lpString=".jpg") returned 4 [0080.046] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0080.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.046] lstrlenW (lpString=".doc") returned 4 [0080.046] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0080.046] lstrlenW (lpString=".docx") returned 5 [0080.046] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0080.046] lstrlenW (lpString=".pdf") returned 4 [0080.046] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0080.046] lstrlenW (lpString=".xls") returned 4 [0080.046] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0080.046] lstrlenW (lpString=".xlsx") returned 5 [0080.047] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0080.047] lstrlenW (lpString=".ppt") returned 4 [0080.047] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0080.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.047] lstrlenW (lpString=".zip") returned 4 [0080.047] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0080.047] lstrlenW (lpString=".rar") returned 4 [0080.047] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0080.047] lstrlenW (lpString=".bz2") returned 4 [0080.047] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0080.047] lstrlenW (lpString=".7z") returned 3 [0080.047] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0080.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.047] lstrlenW (lpString=".dbf") returned 4 [0080.047] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0080.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.047] lstrlenW (lpString=".1cd") returned 4 [0080.047] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0080.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0080.047] lstrlenW (lpString=".jpg") returned 4 [0080.047] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0080.047] lstrcmpiW (lpString1=".gif", lpString2=".mnbzr") returned -1 [0080.047] lstrlenW (lpString="Connectivity.gif") returned 16 [0080.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.048] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2319) returned 1 [0080.048] CloseHandle (hObject=0x1b0) returned 1 [0080.048] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0080.048] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.048] lstrlenW (lpString=".doc") returned 4 [0080.048] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0080.048] lstrlenW (lpString=".docx") returned 5 [0080.048] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0080.048] lstrlenW (lpString=".pdf") returned 4 [0080.048] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0080.048] lstrlenW (lpString=".xls") returned 4 [0080.048] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0080.049] lstrlenW (lpString=".xlsx") returned 5 [0080.049] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0080.049] lstrlenW (lpString=".ppt") returned 4 [0080.049] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString=".zip") returned 4 [0080.049] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0080.049] lstrlenW (lpString=".rar") returned 4 [0080.049] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0080.049] lstrlenW (lpString=".bz2") returned 4 [0080.049] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0080.049] lstrlenW (lpString=".7z") returned 3 [0080.049] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString=".dbf") returned 4 [0080.049] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString=".1cd") returned 4 [0080.049] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString=".jpg") returned 4 [0080.049] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.049] lstrlenW (lpString=".doc") returned 4 [0080.049] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0080.049] lstrlenW (lpString=".docx") returned 5 [0080.050] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0080.050] lstrlenW (lpString=".pdf") returned 4 [0080.050] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0080.050] lstrlenW (lpString=".xls") returned 4 [0080.050] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0080.050] lstrlenW (lpString=".xlsx") returned 5 [0080.050] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0080.050] lstrlenW (lpString=".ppt") returned 4 [0080.050] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0080.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.050] lstrlenW (lpString=".zip") returned 4 [0080.050] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0080.050] lstrlenW (lpString=".rar") returned 4 [0080.050] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0080.050] lstrlenW (lpString=".bz2") returned 4 [0080.050] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0080.050] lstrlenW (lpString=".7z") returned 3 [0080.050] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0080.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.050] lstrlenW (lpString=".dbf") returned 4 [0080.050] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0080.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.050] lstrlenW (lpString=".1cd") returned 4 [0080.050] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0080.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0080.050] lstrlenW (lpString=".jpg") returned 4 [0080.051] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0080.051] lstrcmpiW (lpString1=".ini", lpString2=".mnbzr") returned -1 [0080.051] lstrlenW (lpString="Desktop.ini") returned 11 [0080.051] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.051] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=645) returned 1 [0080.051] CloseHandle (hObject=0x1b0) returned 1 [0080.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0080.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.052] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.052] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0080.052] GetLastError () returned 0x0 [0080.052] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x285, lpOverlapped=0x0) returned 1 [0080.054] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x290, lpOverlapped=0x0) returned 1 [0080.055] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0080.055] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0080.055] SetEndOfFile (hFile=0x1cc) returned 1 [0080.056] CloseHandle (hObject=0x1cc) returned 1 [0080.057] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.057] SetEndOfFile (hFile=0x1b0) returned 1 [0080.058] CloseHandle (hObject=0x1b0) returned 1 [0080.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x26) returned 1 [0080.058] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0080.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.058] lstrlenW (lpString=".doc") returned 4 [0080.058] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0080.058] lstrlenW (lpString=".docx") returned 5 [0080.059] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0080.059] lstrlenW (lpString=".pdf") returned 4 [0080.059] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0080.059] lstrlenW (lpString=".xls") returned 4 [0080.059] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0080.059] lstrlenW (lpString=".xlsx") returned 5 [0080.059] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0080.059] lstrlenW (lpString=".ppt") returned 4 [0080.059] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0080.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.059] lstrlenW (lpString=".zip") returned 4 [0080.059] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0080.059] lstrlenW (lpString=".rar") returned 4 [0080.059] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0080.059] lstrlenW (lpString=".bz2") returned 4 [0080.059] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0080.059] lstrlenW (lpString=".7z") returned 3 [0080.059] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0080.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.059] lstrlenW (lpString=".dbf") returned 4 [0080.059] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0080.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.059] lstrlenW (lpString=".1cd") returned 4 [0080.059] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0080.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.059] lstrlenW (lpString=".jpg") returned 4 [0080.059] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.060] lstrlenW (lpString=".doc") returned 4 [0080.060] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0080.060] lstrlenW (lpString=".docx") returned 5 [0080.060] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0080.060] lstrlenW (lpString=".pdf") returned 4 [0080.060] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString=".xls") returned 4 [0080.060] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString=".xlsx") returned 5 [0080.060] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0080.060] lstrlenW (lpString=".ppt") returned 4 [0080.060] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.060] lstrlenW (lpString=".zip") returned 4 [0080.060] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString=".rar") returned 4 [0080.060] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0080.060] lstrlenW (lpString=".bz2") returned 4 [0080.060] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0080.060] lstrlenW (lpString=".7z") returned 3 [0080.060] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0080.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.060] lstrlenW (lpString=".dbf") returned 4 [0080.060] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0080.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.061] lstrlenW (lpString=".1cd") returned 4 [0080.061] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0080.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0080.061] lstrlenW (lpString=".jpg") returned 4 [0080.061] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0080.061] lstrcmpiW (lpString1=".emf", lpString2=".mnbzr") returned -1 [0080.061] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0080.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.061] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=3792) returned 1 [0080.061] CloseHandle (hObject=0x1b0) returned 1 [0080.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0080.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.062] lstrlenW (lpString=".doc") returned 4 [0080.062] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0080.062] lstrlenW (lpString=".docx") returned 5 [0080.062] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0080.062] lstrlenW (lpString=".pdf") returned 4 [0080.062] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0080.062] lstrlenW (lpString=".xls") returned 4 [0080.062] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0080.062] lstrlenW (lpString=".xlsx") returned 5 [0080.062] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0080.062] lstrlenW (lpString=".ppt") returned 4 [0080.062] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0080.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.062] lstrlenW (lpString=".zip") returned 4 [0080.062] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0080.062] lstrlenW (lpString=".rar") returned 4 [0080.062] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0080.063] lstrlenW (lpString=".bz2") returned 4 [0080.063] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0080.063] lstrlenW (lpString=".7z") returned 3 [0080.063] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0080.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.063] lstrlenW (lpString=".dbf") returned 4 [0080.063] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0080.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.063] lstrlenW (lpString=".1cd") returned 4 [0080.063] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0080.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.063] lstrlenW (lpString=".jpg") returned 4 [0080.063] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0080.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.063] lstrlenW (lpString=".doc") returned 4 [0080.063] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0080.063] lstrlenW (lpString=".docx") returned 5 [0080.063] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0080.063] lstrlenW (lpString=".pdf") returned 4 [0080.063] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0080.063] lstrlenW (lpString=".xls") returned 4 [0080.063] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0080.063] lstrlenW (lpString=".xlsx") returned 5 [0080.063] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0080.063] lstrlenW (lpString=".ppt") returned 4 [0080.064] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0080.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.064] lstrlenW (lpString=".zip") returned 4 [0080.064] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0080.064] lstrlenW (lpString=".rar") returned 4 [0080.064] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0080.064] lstrlenW (lpString=".bz2") returned 4 [0080.064] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0080.064] lstrlenW (lpString=".7z") returned 3 [0080.064] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0080.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.064] lstrlenW (lpString=".dbf") returned 4 [0080.064] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0080.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.064] lstrlenW (lpString=".1cd") returned 4 [0080.064] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0080.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0080.064] lstrlenW (lpString=".jpg") returned 4 [0080.064] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0080.064] lstrcmpiW (lpString1=".htm", lpString2=".mnbzr") returned -1 [0080.064] lstrlenW (lpString="Garden.htm") returned 10 [0080.064] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.065] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=231) returned 1 [0080.065] CloseHandle (hObject=0x1b0) returned 1 [0080.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0080.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.065] lstrlenW (lpString=".doc") returned 4 [0080.065] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0080.065] lstrlenW (lpString=".docx") returned 5 [0080.065] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0080.065] lstrlenW (lpString=".pdf") returned 4 [0080.065] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0080.065] lstrlenW (lpString=".xls") returned 4 [0080.066] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0080.066] lstrlenW (lpString=".xlsx") returned 5 [0080.066] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0080.066] lstrlenW (lpString=".ppt") returned 4 [0080.066] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0080.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.066] lstrlenW (lpString=".zip") returned 4 [0080.066] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0080.066] lstrlenW (lpString=".rar") returned 4 [0080.066] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0080.066] lstrlenW (lpString=".bz2") returned 4 [0080.066] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0080.066] lstrlenW (lpString=".7z") returned 3 [0080.066] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0080.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.067] lstrlenW (lpString=".dbf") returned 4 [0080.067] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0080.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.067] lstrlenW (lpString=".1cd") returned 4 [0080.067] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0080.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.067] lstrlenW (lpString=".jpg") returned 4 [0080.067] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0080.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.067] lstrlenW (lpString=".doc") returned 4 [0080.067] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0080.067] lstrlenW (lpString=".docx") returned 5 [0080.067] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0080.067] lstrlenW (lpString=".pdf") returned 4 [0080.067] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0080.067] lstrlenW (lpString=".xls") returned 4 [0080.067] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0080.067] lstrlenW (lpString=".xlsx") returned 5 [0080.068] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0080.068] lstrlenW (lpString=".ppt") returned 4 [0080.068] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0080.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.068] lstrlenW (lpString=".zip") returned 4 [0080.068] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0080.068] lstrlenW (lpString=".rar") returned 4 [0080.068] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0080.068] lstrlenW (lpString=".bz2") returned 4 [0080.068] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0080.068] lstrlenW (lpString=".7z") returned 3 [0080.068] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0080.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.068] lstrlenW (lpString=".dbf") returned 4 [0080.068] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0080.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.068] lstrlenW (lpString=".1cd") returned 4 [0080.068] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0080.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0080.068] lstrlenW (lpString=".jpg") returned 4 [0080.068] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0080.068] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0080.068] lstrlenW (lpString="Garden.jpg") returned 10 [0080.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0080.069] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=23871) returned 1 [0080.069] CloseHandle (hObject=0x1b0) returned 1 [0080.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0080.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0080.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.069] lstrlenW (lpString=".doc") returned 4 [0080.069] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.069] lstrlenW (lpString=".docx") returned 5 [0080.070] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0080.070] lstrlenW (lpString=".pdf") returned 4 [0080.070] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.070] lstrlenW (lpString=".xls") returned 4 [0080.070] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.070] lstrlenW (lpString=".xlsx") returned 5 [0080.070] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0080.070] lstrlenW (lpString=".ppt") returned 4 [0080.070] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.070] lstrlenW (lpString=".zip") returned 4 [0080.070] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.070] lstrlenW (lpString=".rar") returned 4 [0080.070] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.070] lstrlenW (lpString=".bz2") returned 4 [0080.070] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.070] lstrlenW (lpString=".7z") returned 3 [0080.070] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.070] lstrlenW (lpString=".dbf") returned 4 [0080.070] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.070] lstrlenW (lpString=".1cd") returned 4 [0080.070] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.070] lstrlenW (lpString=".jpg") returned 4 [0080.070] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.071] lstrlenW (lpString=".doc") returned 4 [0080.071] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0080.071] lstrlenW (lpString=".docx") returned 5 [0080.071] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0080.071] lstrlenW (lpString=".pdf") returned 4 [0080.071] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0080.071] lstrlenW (lpString=".xls") returned 4 [0080.071] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0080.071] lstrlenW (lpString=".xlsx") returned 5 [0080.071] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0080.071] lstrlenW (lpString=".ppt") returned 4 [0080.071] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0080.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.071] lstrlenW (lpString=".zip") returned 4 [0080.071] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0080.071] lstrlenW (lpString=".rar") returned 4 [0080.071] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0080.071] lstrlenW (lpString=".bz2") returned 4 [0080.071] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0080.071] lstrlenW (lpString=".7z") returned 3 [0080.071] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0080.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.071] lstrlenW (lpString=".dbf") returned 4 [0080.071] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0080.071] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.072] lstrlenW (lpString=".1cd") returned 4 [0080.072] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0080.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0080.072] lstrlenW (lpString=".jpg") returned 4 [0080.072] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0080.072] lstrcmpiW (lpString1=".emf", lpString2=".mnbzr") returned -1 [0080.072] lstrlenW (lpString="Genko_1.emf") returned 11 [0080.072] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.540] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=5524) returned 1 [0081.540] CloseHandle (hObject=0x1d4) returned 1 [0081.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0081.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.540] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.540] lstrlenW (lpString=".doc") returned 4 [0081.540] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0081.540] lstrlenW (lpString=".docx") returned 5 [0081.540] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0081.540] lstrlenW (lpString=".pdf") returned 4 [0081.541] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString=".xls") returned 4 [0081.541] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString=".xlsx") returned 5 [0081.541] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0081.541] lstrlenW (lpString=".ppt") returned 4 [0081.541] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.541] lstrlenW (lpString=".zip") returned 4 [0081.541] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString=".rar") returned 4 [0081.541] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString=".bz2") returned 4 [0081.541] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0081.541] lstrlenW (lpString=".7z") returned 3 [0081.541] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0081.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.541] lstrlenW (lpString=".dbf") returned 4 [0081.541] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0081.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.541] lstrlenW (lpString=".1cd") returned 4 [0081.541] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0081.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.541] lstrlenW (lpString=".jpg") returned 4 [0081.541] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0081.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.542] lstrlenW (lpString=".doc") returned 4 [0081.542] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0081.542] lstrlenW (lpString=".docx") returned 5 [0081.542] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0081.542] lstrlenW (lpString=".pdf") returned 4 [0081.542] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0081.542] lstrlenW (lpString=".xls") returned 4 [0081.542] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0081.542] lstrlenW (lpString=".xlsx") returned 5 [0081.542] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0081.542] lstrlenW (lpString=".ppt") returned 4 [0081.542] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0081.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.542] lstrlenW (lpString=".zip") returned 4 [0081.542] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0081.542] lstrlenW (lpString=".rar") returned 4 [0081.542] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0081.542] lstrlenW (lpString=".bz2") returned 4 [0081.542] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0081.542] lstrlenW (lpString=".7z") returned 3 [0081.542] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0081.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.542] lstrlenW (lpString=".dbf") returned 4 [0081.542] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0081.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.542] lstrlenW (lpString=".1cd") returned 4 [0081.543] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0081.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0081.543] lstrlenW (lpString=".jpg") returned 4 [0081.543] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0081.543] lstrcmpiW (lpString1=".htm", lpString2=".mnbzr") returned -1 [0081.543] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0081.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.544] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=237) returned 1 [0081.544] CloseHandle (hObject=0x1d4) returned 1 [0081.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0081.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.545] lstrlenW (lpString=".doc") returned 4 [0081.545] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.545] lstrlenW (lpString=".docx") returned 5 [0081.545] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.545] lstrlenW (lpString=".pdf") returned 4 [0081.545] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.545] lstrlenW (lpString=".xls") returned 4 [0081.545] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.545] lstrlenW (lpString=".xlsx") returned 5 [0081.545] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.545] lstrlenW (lpString=".ppt") returned 4 [0081.545] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.545] lstrlenW (lpString=".zip") returned 4 [0081.545] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.545] lstrlenW (lpString=".rar") returned 4 [0081.545] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.545] lstrlenW (lpString=".bz2") returned 4 [0081.545] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.545] lstrlenW (lpString=".7z") returned 3 [0081.545] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString=".dbf") returned 4 [0081.546] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString=".1cd") returned 4 [0081.546] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString=".jpg") returned 4 [0081.546] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString=".doc") returned 4 [0081.546] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.546] lstrlenW (lpString=".docx") returned 5 [0081.546] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.546] lstrlenW (lpString=".pdf") returned 4 [0081.546] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.546] lstrlenW (lpString=".xls") returned 4 [0081.546] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.546] lstrlenW (lpString=".xlsx") returned 5 [0081.546] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.546] lstrlenW (lpString=".ppt") returned 4 [0081.546] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.546] lstrlenW (lpString=".zip") returned 4 [0081.546] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.547] lstrlenW (lpString=".rar") returned 4 [0081.547] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.547] lstrlenW (lpString=".bz2") returned 4 [0081.547] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.547] lstrlenW (lpString=".7z") returned 3 [0081.547] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.547] lstrlenW (lpString=".dbf") returned 4 [0081.547] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.547] lstrlenW (lpString=".1cd") returned 4 [0081.547] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0081.547] lstrlenW (lpString=".jpg") returned 4 [0081.547] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.547] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0081.547] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0081.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.548] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=6406) returned 1 [0081.548] CloseHandle (hObject=0x1d4) returned 1 [0081.548] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0081.548] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.548] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.549] lstrlenW (lpString=".doc") returned 4 [0081.549] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0081.549] lstrlenW (lpString=".docx") returned 5 [0081.549] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0081.549] lstrlenW (lpString=".pdf") returned 4 [0081.549] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0081.549] lstrlenW (lpString=".xls") returned 4 [0081.549] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0081.549] lstrlenW (lpString=".xlsx") returned 5 [0081.549] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0081.549] lstrlenW (lpString=".ppt") returned 4 [0081.549] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0081.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.549] lstrlenW (lpString=".zip") returned 4 [0081.549] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0081.549] lstrlenW (lpString=".rar") returned 4 [0081.549] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0081.549] lstrlenW (lpString=".bz2") returned 4 [0081.549] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0081.549] lstrlenW (lpString=".7z") returned 3 [0081.549] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0081.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.549] lstrlenW (lpString=".dbf") returned 4 [0081.549] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0081.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.549] lstrlenW (lpString=".1cd") returned 4 [0081.549] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0081.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.550] lstrlenW (lpString=".jpg") returned 4 [0081.550] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0081.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.550] lstrlenW (lpString=".doc") returned 4 [0081.550] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0081.550] lstrlenW (lpString=".docx") returned 5 [0081.550] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0081.550] lstrlenW (lpString=".pdf") returned 4 [0081.550] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0081.550] lstrlenW (lpString=".xls") returned 4 [0081.550] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0081.550] lstrlenW (lpString=".xlsx") returned 5 [0081.550] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0081.550] lstrlenW (lpString=".ppt") returned 4 [0081.550] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0081.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.550] lstrlenW (lpString=".zip") returned 4 [0081.550] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0081.550] lstrlenW (lpString=".rar") returned 4 [0081.550] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0081.550] lstrlenW (lpString=".bz2") returned 4 [0081.550] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0081.550] lstrlenW (lpString=".7z") returned 3 [0081.550] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0081.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.551] lstrlenW (lpString=".dbf") returned 4 [0081.551] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0081.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.551] lstrlenW (lpString=".1cd") returned 4 [0081.551] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0081.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0081.551] lstrlenW (lpString=".jpg") returned 4 [0081.551] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0081.551] lstrcmpiW (lpString1=".wmf", lpString2=".mnbzr") returned 1 [0081.551] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0081.551] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.551] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2920) returned 1 [0081.551] CloseHandle (hObject=0x1d4) returned 1 [0081.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0081.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.552] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.552] lstrlenW (lpString=".doc") returned 4 [0081.552] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0081.552] lstrlenW (lpString=".docx") returned 5 [0081.552] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0081.552] lstrlenW (lpString=".pdf") returned 4 [0081.552] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0081.552] lstrlenW (lpString=".xls") returned 4 [0081.552] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0081.552] lstrlenW (lpString=".xlsx") returned 5 [0081.552] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0081.552] lstrlenW (lpString=".ppt") returned 4 [0081.552] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0081.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.552] lstrlenW (lpString=".zip") returned 4 [0081.552] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0081.552] lstrlenW (lpString=".rar") returned 4 [0081.552] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0081.552] lstrlenW (lpString=".bz2") returned 4 [0081.553] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString=".7z") returned 3 [0081.553] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.553] lstrlenW (lpString=".dbf") returned 4 [0081.553] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.553] lstrlenW (lpString=".1cd") returned 4 [0081.553] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.553] lstrlenW (lpString=".jpg") returned 4 [0081.553] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.553] lstrlenW (lpString=".doc") returned 4 [0081.553] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString=".docx") returned 5 [0081.553] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0081.553] lstrlenW (lpString=".pdf") returned 4 [0081.553] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString=".xls") returned 4 [0081.553] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0081.553] lstrlenW (lpString=".xlsx") returned 5 [0081.553] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0081.553] lstrlenW (lpString=".ppt") returned 4 [0081.553] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0081.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.554] lstrlenW (lpString=".zip") returned 4 [0081.554] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0081.554] lstrlenW (lpString=".rar") returned 4 [0081.554] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0081.554] lstrlenW (lpString=".bz2") returned 4 [0081.554] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0081.554] lstrlenW (lpString=".7z") returned 3 [0081.554] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0081.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.554] lstrlenW (lpString=".dbf") returned 4 [0081.554] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0081.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.554] lstrlenW (lpString=".1cd") returned 4 [0081.554] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0081.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0081.554] lstrlenW (lpString=".jpg") returned 4 [0081.554] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0081.554] lstrcmpiW (lpString1=".wmf", lpString2=".mnbzr") returned 1 [0081.554] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0081.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.555] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=7498) returned 1 [0081.555] CloseHandle (hObject=0x1d4) returned 1 [0081.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0081.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.555] lstrlenW (lpString=".doc") returned 4 [0081.555] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0081.555] lstrlenW (lpString=".docx") returned 5 [0081.555] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0081.555] lstrlenW (lpString=".pdf") returned 4 [0081.555] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0081.555] lstrlenW (lpString=".xls") returned 4 [0081.555] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0081.555] lstrlenW (lpString=".xlsx") returned 5 [0081.555] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0081.555] lstrlenW (lpString=".ppt") returned 4 [0081.556] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString=".zip") returned 4 [0081.556] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0081.556] lstrlenW (lpString=".rar") returned 4 [0081.556] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString=".bz2") returned 4 [0081.556] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString=".7z") returned 3 [0081.556] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString=".dbf") returned 4 [0081.556] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString=".1cd") returned 4 [0081.556] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString=".jpg") returned 4 [0081.556] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.556] lstrlenW (lpString=".doc") returned 4 [0081.556] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0081.556] lstrlenW (lpString=".docx") returned 5 [0081.556] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0081.556] lstrlenW (lpString=".pdf") returned 4 [0081.557] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString=".xls") returned 4 [0081.557] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0081.557] lstrlenW (lpString=".xlsx") returned 5 [0081.557] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0081.557] lstrlenW (lpString=".ppt") returned 4 [0081.557] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.557] lstrlenW (lpString=".zip") returned 4 [0081.557] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0081.557] lstrlenW (lpString=".rar") returned 4 [0081.557] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString=".bz2") returned 4 [0081.557] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString=".7z") returned 3 [0081.557] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0081.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.557] lstrlenW (lpString=".dbf") returned 4 [0081.557] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.557] lstrlenW (lpString=".1cd") returned 4 [0081.557] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0081.557] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0081.557] lstrlenW (lpString=".jpg") returned 4 [0081.557] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0081.558] lstrcmpiW (lpString1=".htm", lpString2=".mnbzr") returned -1 [0081.558] lstrlenW (lpString="Hand Prints.htm") returned 15 [0081.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.559] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=235) returned 1 [0081.559] CloseHandle (hObject=0x1d4) returned 1 [0081.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0081.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.559] lstrlenW (lpString=".doc") returned 4 [0081.559] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.559] lstrlenW (lpString=".docx") returned 5 [0081.559] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.559] lstrlenW (lpString=".pdf") returned 4 [0081.559] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.559] lstrlenW (lpString=".xls") returned 4 [0081.559] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.559] lstrlenW (lpString=".xlsx") returned 5 [0081.559] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.560] lstrlenW (lpString=".ppt") returned 4 [0081.560] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString=".zip") returned 4 [0081.560] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.560] lstrlenW (lpString=".rar") returned 4 [0081.560] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.560] lstrlenW (lpString=".bz2") returned 4 [0081.560] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.560] lstrlenW (lpString=".7z") returned 3 [0081.560] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString=".dbf") returned 4 [0081.560] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString=".1cd") returned 4 [0081.560] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString=".jpg") returned 4 [0081.560] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.560] lstrlenW (lpString=".doc") returned 4 [0081.560] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0081.560] lstrlenW (lpString=".docx") returned 5 [0081.561] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0081.561] lstrlenW (lpString=".pdf") returned 4 [0081.561] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0081.561] lstrlenW (lpString=".xls") returned 4 [0081.561] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0081.561] lstrlenW (lpString=".xlsx") returned 5 [0081.561] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0081.561] lstrlenW (lpString=".ppt") returned 4 [0081.561] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0081.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.561] lstrlenW (lpString=".zip") returned 4 [0081.561] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0081.561] lstrlenW (lpString=".rar") returned 4 [0081.561] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0081.561] lstrlenW (lpString=".bz2") returned 4 [0081.561] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0081.561] lstrlenW (lpString=".7z") returned 3 [0081.561] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0081.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.561] lstrlenW (lpString=".dbf") returned 4 [0081.561] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0081.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.561] lstrlenW (lpString=".1cd") returned 4 [0081.561] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0081.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0081.561] lstrlenW (lpString=".jpg") returned 4 [0081.561] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0081.562] lstrcmpiW (lpString1=".jpg", lpString2=".mnbzr") returned -1 [0081.562] lstrlenW (lpString="HandPrints.jpg") returned 14 [0081.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0081.562] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=4222) returned 1 [0081.562] CloseHandle (hObject=0x1d4) returned 1 [0081.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0081.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0081.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0081.563] lstrlenW (lpString=".doc") returned 4 [0081.563] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0081.563] lstrlenW (lpString=".docx") returned 5 [0081.563] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0081.563] lstrlenW (lpString=".pdf") returned 4 [0081.563] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0081.563] lstrlenW (lpString=".xls") returned 4 [0081.563] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0081.563] lstrlenW (lpString=".xlsx") returned 5 [0081.563] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0081.563] lstrlenW (lpString=".ppt") returned 4 [0081.563] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0081.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0081.563] lstrlenW (lpString=".zip") returned 4 [0081.563] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0081.563] lstrlenW (lpString=".rar") returned 4 [0081.563] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0081.563] lstrlenW (lpString=".bz2") returned 4 [0081.563] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0081.563] lstrlenW (lpString=".7z") returned 3 [0081.563] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0081.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0081.563] lstrlenW (lpString=".dbf") returned 4 [0081.563] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0083.938] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=25234) returned 1 [0083.938] CloseHandle (hObject=0x1b0) returned 1 [0083.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0083.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0083.938] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.939] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0083.939] GetLastError () returned 0x0 [0083.939] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x6292, lpOverlapped=0x0) returned 1 [0083.942] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0083.944] ReadFile (in: hFile=0x1b0, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0083.944] WriteFile (in: hFile=0x1cc, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0083.944] SetEndOfFile (hFile=0x1cc) returned 1 [0083.944] CloseHandle (hObject=0x1cc) returned 1 [0083.944] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.944] SetEndOfFile (hFile=0x1b0) returned 1 [0083.945] CloseHandle (hObject=0x1b0) returned 1 [0083.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0083.946] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0083.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.946] lstrlenW (lpString=".doc") returned 4 [0083.946] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.946] lstrlenW (lpString=".docx") returned 5 [0083.946] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.946] lstrlenW (lpString=".pdf") returned 4 [0083.946] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.946] lstrlenW (lpString=".xls") returned 4 [0083.946] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.946] lstrlenW (lpString=".xlsx") returned 5 [0083.946] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.946] lstrlenW (lpString=".ppt") returned 4 [0083.947] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString=".zip") returned 4 [0083.947] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.947] lstrlenW (lpString=".rar") returned 4 [0083.947] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.947] lstrlenW (lpString=".bz2") returned 4 [0083.947] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString=".7z") returned 3 [0083.947] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString=".dbf") returned 4 [0083.947] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString=".1cd") returned 4 [0083.947] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString=".jpg") returned 4 [0083.947] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.947] lstrlenW (lpString=".doc") returned 4 [0083.947] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString=".docx") returned 5 [0083.947] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0083.947] lstrlenW (lpString=".pdf") returned 4 [0083.947] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0083.947] lstrlenW (lpString=".xls") returned 4 [0083.948] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0083.948] lstrlenW (lpString=".xlsx") returned 5 [0083.948] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0083.948] lstrlenW (lpString=".ppt") returned 4 [0083.948] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0083.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.948] lstrlenW (lpString=".zip") returned 4 [0083.948] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0083.948] lstrlenW (lpString=".rar") returned 4 [0083.948] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0083.948] lstrlenW (lpString=".bz2") returned 4 [0083.948] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0083.948] lstrlenW (lpString=".7z") returned 3 [0083.948] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0083.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.948] lstrlenW (lpString=".dbf") returned 4 [0083.948] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0083.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.948] lstrlenW (lpString=".1cd") returned 4 [0083.948] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0083.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0083.948] lstrlenW (lpString=".jpg") returned 4 [0083.948] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0083.948] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0083.949] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0083.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.089] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=31837) returned 1 [0084.090] CloseHandle (hObject=0x1ec) returned 1 [0084.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0084.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.090] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0084.090] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.090] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.090] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0084.091] GetLastError () returned 0x0 [0084.091] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0084.094] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0084.095] ReadFile (in: hFile=0x1ec, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.096] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0084.096] SetEndOfFile (hFile=0x1f4) returned 1 [0084.096] CloseHandle (hObject=0x1f4) returned 1 [0084.096] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.096] SetEndOfFile (hFile=0x1ec) returned 1 [0084.097] CloseHandle (hObject=0x1ec) returned 1 [0084.098] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0084.098] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0084.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.098] lstrlenW (lpString=".doc") returned 4 [0084.098] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.099] lstrlenW (lpString=".docx") returned 5 [0084.099] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.099] lstrlenW (lpString=".pdf") returned 4 [0084.099] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.099] lstrlenW (lpString=".xls") returned 4 [0084.099] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.099] lstrlenW (lpString=".xlsx") returned 5 [0084.099] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.099] lstrlenW (lpString=".ppt") returned 4 [0084.099] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.099] lstrlenW (lpString=".zip") returned 4 [0084.099] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.099] lstrlenW (lpString=".rar") returned 4 [0084.099] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.099] lstrlenW (lpString=".bz2") returned 4 [0084.099] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.099] lstrlenW (lpString=".7z") returned 3 [0084.099] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.099] lstrlenW (lpString=".dbf") returned 4 [0084.099] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.099] lstrlenW (lpString=".1cd") returned 4 [0084.099] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.099] lstrlenW (lpString=".jpg") returned 4 [0084.099] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.100] lstrlenW (lpString=".doc") returned 4 [0084.100] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0084.100] lstrlenW (lpString=".docx") returned 5 [0084.100] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0084.100] lstrlenW (lpString=".pdf") returned 4 [0084.100] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0084.100] lstrlenW (lpString=".xls") returned 4 [0084.100] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0084.100] lstrlenW (lpString=".xlsx") returned 5 [0084.100] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0084.100] lstrlenW (lpString=".ppt") returned 4 [0084.100] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0084.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.100] lstrlenW (lpString=".zip") returned 4 [0084.100] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0084.100] lstrlenW (lpString=".rar") returned 4 [0084.100] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0084.100] lstrlenW (lpString=".bz2") returned 4 [0084.100] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0084.100] lstrlenW (lpString=".7z") returned 3 [0084.100] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0084.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.100] lstrlenW (lpString=".dbf") returned 4 [0084.100] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0084.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.101] lstrlenW (lpString=".1cd") returned 4 [0084.101] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0084.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0084.101] lstrlenW (lpString=".jpg") returned 4 [0084.101] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0084.101] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0084.101] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0084.101] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0084.576] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=43276) returned 1 [0084.576] CloseHandle (hObject=0x1f4) returned 1 [0084.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0084.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0084.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0084.577] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.577] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0084.577] GetLastError () returned 0x0 [0084.577] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0084.654] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0084.683] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0084.689] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0084.710] SetEndOfFile (hFile=0x1b0) returned 1 [0084.711] CloseHandle (hObject=0x1b0) returned 1 [0084.723] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0084.756] SetEndOfFile (hFile=0x1f4) returned 1 [0085.140] CloseHandle (hObject=0x1f4) returned 1 [0085.145] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.150] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0085.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.155] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.155] lstrlenW (lpString=".doc") returned 4 [0085.155] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.155] lstrlenW (lpString=".docx") returned 5 [0085.155] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.155] lstrlenW (lpString=".pdf") returned 4 [0085.155] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.155] lstrlenW (lpString=".xls") returned 4 [0085.155] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.155] lstrlenW (lpString=".xlsx") returned 5 [0085.155] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.155] lstrlenW (lpString=".ppt") returned 4 [0085.156] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString=".zip") returned 4 [0085.156] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.156] lstrlenW (lpString=".rar") returned 4 [0085.156] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.156] lstrlenW (lpString=".bz2") returned 4 [0085.156] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.156] lstrlenW (lpString=".7z") returned 3 [0085.156] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString=".dbf") returned 4 [0085.156] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString=".1cd") returned 4 [0085.156] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString=".jpg") returned 4 [0085.156] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.156] lstrlenW (lpString=".doc") returned 4 [0085.156] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.156] lstrlenW (lpString=".docx") returned 5 [0085.156] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.157] lstrlenW (lpString=".pdf") returned 4 [0085.157] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.157] lstrlenW (lpString=".xls") returned 4 [0085.157] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.157] lstrlenW (lpString=".xlsx") returned 5 [0085.157] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.157] lstrlenW (lpString=".ppt") returned 4 [0085.157] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.157] lstrlenW (lpString=".zip") returned 4 [0085.157] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.157] lstrlenW (lpString=".rar") returned 4 [0085.157] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.157] lstrlenW (lpString=".bz2") returned 4 [0085.157] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.157] lstrlenW (lpString=".7z") returned 3 [0085.157] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.157] lstrlenW (lpString=".dbf") returned 4 [0085.157] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.157] lstrlenW (lpString=".1cd") returned 4 [0085.157] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0085.157] lstrlenW (lpString=".jpg") returned 4 [0085.157] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.158] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.158] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.158] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=20575) returned 1 [0085.158] CloseHandle (hObject=0x1f4) returned 1 [0085.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0085.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.159] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.159] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.160] GetLastError () returned 0x0 [0085.160] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x505f, lpOverlapped=0x0) returned 1 [0085.171] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x5060, lpOverlapped=0x0) returned 1 [0085.172] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.172] WriteFile (in: hFile=0x1b0, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.172] SetEndOfFile (hFile=0x1b0) returned 1 [0085.172] CloseHandle (hObject=0x1b0) returned 1 [0085.173] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.173] SetEndOfFile (hFile=0x1f4) returned 1 [0085.174] CloseHandle (hObject=0x1f4) returned 1 [0085.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.174] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0085.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.174] lstrlenW (lpString=".doc") returned 4 [0085.174] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.174] lstrlenW (lpString=".docx") returned 5 [0085.174] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.174] lstrlenW (lpString=".pdf") returned 4 [0085.174] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.174] lstrlenW (lpString=".xls") returned 4 [0085.174] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.174] lstrlenW (lpString=".xlsx") returned 5 [0085.174] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.174] lstrlenW (lpString=".ppt") returned 4 [0085.174] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.174] lstrlenW (lpString=".zip") returned 4 [0085.174] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.175] lstrlenW (lpString=".rar") returned 4 [0085.175] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.175] lstrlenW (lpString=".bz2") returned 4 [0085.175] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString=".7z") returned 3 [0085.175] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString=".dbf") returned 4 [0085.175] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString=".1cd") returned 4 [0085.175] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString=".jpg") returned 4 [0085.175] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString=".doc") returned 4 [0085.175] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString=".docx") returned 5 [0085.175] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.175] lstrlenW (lpString=".pdf") returned 4 [0085.175] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.175] lstrlenW (lpString=".xls") returned 4 [0085.175] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.175] lstrlenW (lpString=".xlsx") returned 5 [0085.175] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.175] lstrlenW (lpString=".ppt") returned 4 [0085.175] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.175] lstrlenW (lpString=".zip") returned 4 [0085.175] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.175] lstrlenW (lpString=".rar") returned 4 [0085.175] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.176] lstrlenW (lpString=".bz2") returned 4 [0085.176] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.176] lstrlenW (lpString=".7z") returned 3 [0085.176] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.176] lstrlenW (lpString=".dbf") returned 4 [0085.176] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.176] lstrlenW (lpString=".1cd") returned 4 [0085.176] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0085.176] lstrlenW (lpString=".jpg") returned 4 [0085.176] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.176] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.176] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.176] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=28595) returned 1 [0085.177] CloseHandle (hObject=0x1f4) returned 1 [0085.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0085.177] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.177] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.177] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.177] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.177] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0085.347] GetLastError () returned 0x0 [0085.347] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0085.349] WriteFile (in: hFile=0x1ec, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0085.351] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.351] WriteFile (in: hFile=0x1ec, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.351] SetEndOfFile (hFile=0x1ec) returned 1 [0085.351] CloseHandle (hObject=0x1ec) returned 1 [0085.352] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.352] SetEndOfFile (hFile=0x1f4) returned 1 [0085.353] CloseHandle (hObject=0x1f4) returned 1 [0085.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.353] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0085.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.354] lstrlenW (lpString=".doc") returned 4 [0085.354] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.354] lstrlenW (lpString=".docx") returned 5 [0085.354] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.354] lstrlenW (lpString=".pdf") returned 4 [0085.354] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.354] lstrlenW (lpString=".xls") returned 4 [0085.354] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.354] lstrlenW (lpString=".xlsx") returned 5 [0085.354] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.354] lstrlenW (lpString=".ppt") returned 4 [0085.354] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.354] lstrlenW (lpString=".zip") returned 4 [0085.354] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.354] lstrlenW (lpString=".rar") returned 4 [0085.354] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.354] lstrlenW (lpString=".bz2") returned 4 [0085.355] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString=".7z") returned 3 [0085.355] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.355] lstrlenW (lpString=".dbf") returned 4 [0085.355] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.355] lstrlenW (lpString=".1cd") returned 4 [0085.355] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.355] lstrlenW (lpString=".jpg") returned 4 [0085.355] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.355] lstrlenW (lpString=".doc") returned 4 [0085.355] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString=".docx") returned 5 [0085.355] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.355] lstrlenW (lpString=".pdf") returned 4 [0085.355] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.355] lstrlenW (lpString=".xls") returned 4 [0085.355] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.355] lstrlenW (lpString=".xlsx") returned 5 [0085.356] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.356] lstrlenW (lpString=".ppt") returned 4 [0085.356] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.356] lstrlenW (lpString=".zip") returned 4 [0085.356] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.356] lstrlenW (lpString=".rar") returned 4 [0085.356] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.356] lstrlenW (lpString=".bz2") returned 4 [0085.356] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.356] lstrlenW (lpString=".7z") returned 3 [0085.356] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.356] lstrlenW (lpString=".dbf") returned 4 [0085.356] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.356] lstrlenW (lpString=".1cd") returned 4 [0085.356] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0085.356] lstrlenW (lpString=".jpg") returned 4 [0085.356] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.356] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.356] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.357] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.358] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=32403) returned 1 [0085.358] CloseHandle (hObject=0x1f4) returned 1 [0085.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0085.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.359] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.359] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.371] GetLastError () returned 0x0 [0085.371] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x7e93, lpOverlapped=0x0) returned 1 [0085.549] WriteFile (in: hFile=0x1d8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0085.551] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.551] WriteFile (in: hFile=0x1d8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.551] SetEndOfFile (hFile=0x1d8) returned 1 [0085.551] CloseHandle (hObject=0x1d8) returned 1 [0085.552] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.552] SetEndOfFile (hFile=0x1f4) returned 1 [0085.553] CloseHandle (hObject=0x1f4) returned 1 [0085.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.553] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0085.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.554] lstrlenW (lpString=".doc") returned 4 [0085.554] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.554] lstrlenW (lpString=".docx") returned 5 [0085.554] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.554] lstrlenW (lpString=".pdf") returned 4 [0085.554] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.554] lstrlenW (lpString=".xls") returned 4 [0085.554] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.554] lstrlenW (lpString=".xlsx") returned 5 [0085.554] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.554] lstrlenW (lpString=".ppt") returned 4 [0085.554] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.554] lstrlenW (lpString=".zip") returned 4 [0085.554] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.554] lstrlenW (lpString=".rar") returned 4 [0085.554] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.554] lstrlenW (lpString=".bz2") returned 4 [0085.554] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString=".7z") returned 3 [0085.555] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.555] lstrlenW (lpString=".dbf") returned 4 [0085.555] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.555] lstrlenW (lpString=".1cd") returned 4 [0085.555] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.555] lstrlenW (lpString=".jpg") returned 4 [0085.555] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.555] lstrlenW (lpString=".doc") returned 4 [0085.555] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString=".docx") returned 5 [0085.555] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.555] lstrlenW (lpString=".pdf") returned 4 [0085.555] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.555] lstrlenW (lpString=".xls") returned 4 [0085.555] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.555] lstrlenW (lpString=".xlsx") returned 5 [0085.555] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.555] lstrlenW (lpString=".ppt") returned 4 [0085.555] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.555] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.556] lstrlenW (lpString=".zip") returned 4 [0085.556] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.556] lstrlenW (lpString=".rar") returned 4 [0085.556] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.556] lstrlenW (lpString=".bz2") returned 4 [0085.556] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.556] lstrlenW (lpString=".7z") returned 3 [0085.556] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.556] lstrlenW (lpString=".dbf") returned 4 [0085.556] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.556] lstrlenW (lpString=".1cd") returned 4 [0085.556] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.556] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0085.556] lstrlenW (lpString=".jpg") returned 4 [0085.556] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.556] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.556] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0085.840] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=18817) returned 1 [0085.840] CloseHandle (hObject=0x1e8) returned 1 [0085.840] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0085.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0085.856] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.856] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.867] GetLastError () returned 0x0 [0085.867] ReadFile (in: hFile=0x204, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x4981, lpOverlapped=0x0) returned 1 [0085.869] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0085.870] ReadFile (in: hFile=0x204, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.870] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.870] SetEndOfFile (hFile=0x1f4) returned 1 [0085.871] CloseHandle (hObject=0x1f4) returned 1 [0085.871] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.871] SetEndOfFile (hFile=0x204) returned 1 [0085.872] CloseHandle (hObject=0x204) returned 1 [0085.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0085.872] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0085.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.872] lstrlenW (lpString=".doc") returned 4 [0085.872] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.872] lstrlenW (lpString=".docx") returned 5 [0085.872] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.872] lstrlenW (lpString=".pdf") returned 4 [0085.872] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString=".xls") returned 4 [0085.873] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.873] lstrlenW (lpString=".xlsx") returned 5 [0085.873] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.873] lstrlenW (lpString=".ppt") returned 4 [0085.873] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString=".zip") returned 4 [0085.873] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.873] lstrlenW (lpString=".rar") returned 4 [0085.873] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.873] lstrlenW (lpString=".bz2") returned 4 [0085.873] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString=".7z") returned 3 [0085.873] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString=".dbf") returned 4 [0085.873] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString=".1cd") returned 4 [0085.873] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString=".jpg") returned 4 [0085.873] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.873] lstrlenW (lpString=".doc") returned 4 [0085.873] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString=".docx") returned 5 [0085.873] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0085.873] lstrlenW (lpString=".pdf") returned 4 [0085.873] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0085.873] lstrlenW (lpString=".xls") returned 4 [0085.874] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0085.874] lstrlenW (lpString=".xlsx") returned 5 [0085.874] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0085.874] lstrlenW (lpString=".ppt") returned 4 [0085.874] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0085.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.874] lstrlenW (lpString=".zip") returned 4 [0085.874] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0085.874] lstrlenW (lpString=".rar") returned 4 [0085.874] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0085.874] lstrlenW (lpString=".bz2") returned 4 [0085.874] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0085.874] lstrlenW (lpString=".7z") returned 3 [0085.874] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0085.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.874] lstrlenW (lpString=".dbf") returned 4 [0085.874] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0085.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.874] lstrlenW (lpString=".1cd") returned 4 [0085.874] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0085.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0085.874] lstrlenW (lpString=".jpg") returned 4 [0085.874] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0085.874] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0085.874] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0085.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.223] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=48115) returned 1 [0086.223] CloseHandle (hObject=0x1e8) returned 1 [0086.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0086.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.243] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.243] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0086.247] GetLastError () returned 0x0 [0086.247] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0086.253] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0086.255] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.255] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.255] SetEndOfFile (hFile=0x204) returned 1 [0086.255] CloseHandle (hObject=0x204) returned 1 [0086.255] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.256] SetEndOfFile (hFile=0x1e8) returned 1 [0086.257] CloseHandle (hObject=0x1e8) returned 1 [0086.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.257] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0086.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.258] lstrlenW (lpString=".doc") returned 4 [0086.258] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.258] lstrlenW (lpString=".docx") returned 5 [0086.258] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.258] lstrlenW (lpString=".pdf") returned 4 [0086.258] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.258] lstrlenW (lpString=".xls") returned 4 [0086.258] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.258] lstrlenW (lpString=".xlsx") returned 5 [0086.258] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.258] lstrlenW (lpString=".ppt") returned 4 [0086.258] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.258] lstrlenW (lpString=".zip") returned 4 [0086.258] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.258] lstrlenW (lpString=".rar") returned 4 [0086.258] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.258] lstrlenW (lpString=".bz2") returned 4 [0086.258] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.258] lstrlenW (lpString=".7z") returned 3 [0086.258] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.258] lstrlenW (lpString=".dbf") returned 4 [0086.259] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.259] lstrlenW (lpString=".1cd") returned 4 [0086.259] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.259] lstrlenW (lpString=".jpg") returned 4 [0086.259] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.259] lstrlenW (lpString=".doc") returned 4 [0086.259] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.259] lstrlenW (lpString=".docx") returned 5 [0086.259] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.259] lstrlenW (lpString=".pdf") returned 4 [0086.259] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.259] lstrlenW (lpString=".xls") returned 4 [0086.259] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.259] lstrlenW (lpString=".xlsx") returned 5 [0086.259] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.270] lstrlenW (lpString=".ppt") returned 4 [0086.270] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.270] lstrlenW (lpString=".zip") returned 4 [0086.270] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.270] lstrlenW (lpString=".rar") returned 4 [0086.270] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.270] lstrlenW (lpString=".bz2") returned 4 [0086.270] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.270] lstrlenW (lpString=".7z") returned 3 [0086.270] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.270] lstrlenW (lpString=".dbf") returned 4 [0086.270] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.270] lstrlenW (lpString=".1cd") returned 4 [0086.270] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0086.270] lstrlenW (lpString=".jpg") returned 4 [0086.270] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.271] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.271] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.271] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=19563) returned 1 [0086.271] CloseHandle (hObject=0x1e8) returned 1 [0086.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0086.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.272] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.272] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0086.272] GetLastError () returned 0x0 [0086.272] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0086.275] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0086.276] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.276] WriteFile (in: hFile=0x204, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.276] SetEndOfFile (hFile=0x204) returned 1 [0086.276] CloseHandle (hObject=0x204) returned 1 [0086.277] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.277] SetEndOfFile (hFile=0x1e8) returned 1 [0086.278] CloseHandle (hObject=0x1e8) returned 1 [0086.278] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.278] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0086.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.279] lstrlenW (lpString=".doc") returned 4 [0086.279] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.279] lstrlenW (lpString=".docx") returned 5 [0086.279] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.279] lstrlenW (lpString=".pdf") returned 4 [0086.279] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.279] lstrlenW (lpString=".xls") returned 4 [0086.279] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.279] lstrlenW (lpString=".xlsx") returned 5 [0086.279] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.279] lstrlenW (lpString=".ppt") returned 4 [0086.279] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.279] lstrlenW (lpString=".zip") returned 4 [0086.279] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.279] lstrlenW (lpString=".rar") returned 4 [0086.279] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.279] lstrlenW (lpString=".bz2") returned 4 [0086.279] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.279] lstrlenW (lpString=".7z") returned 3 [0086.279] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.279] lstrlenW (lpString=".dbf") returned 4 [0086.279] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.279] lstrlenW (lpString=".1cd") returned 4 [0086.279] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.279] lstrlenW (lpString=".jpg") returned 4 [0086.280] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.280] lstrlenW (lpString=".doc") returned 4 [0086.280] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.280] lstrlenW (lpString=".docx") returned 5 [0086.280] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.280] lstrlenW (lpString=".pdf") returned 4 [0086.280] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.280] lstrlenW (lpString=".xls") returned 4 [0086.280] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.280] lstrlenW (lpString=".xlsx") returned 5 [0086.280] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.280] lstrlenW (lpString=".ppt") returned 4 [0086.280] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.280] lstrlenW (lpString=".zip") returned 4 [0086.280] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.280] lstrlenW (lpString=".rar") returned 4 [0086.280] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.280] lstrlenW (lpString=".bz2") returned 4 [0086.280] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.280] lstrlenW (lpString=".7z") returned 3 [0086.280] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.280] lstrlenW (lpString=".dbf") returned 4 [0086.281] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.281] lstrlenW (lpString=".1cd") returned 4 [0086.281] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0086.281] lstrlenW (lpString=".jpg") returned 4 [0086.281] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.281] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0086.281] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0086.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.282] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1423) returned 1 [0086.282] CloseHandle (hObject=0x1e8) returned 1 [0086.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0086.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.282] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.282] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0086.285] GetLastError () returned 0x0 [0086.285] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x58f, lpOverlapped=0x0) returned 1 [0086.287] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x590, lpOverlapped=0x0) returned 1 [0086.288] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.288] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.288] SetEndOfFile (hFile=0x210) returned 1 [0086.288] CloseHandle (hObject=0x210) returned 1 [0086.288] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.289] SetEndOfFile (hFile=0x1e8) returned 1 [0086.289] CloseHandle (hObject=0x1e8) returned 1 [0086.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.290] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0086.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.290] lstrlenW (lpString=".doc") returned 4 [0086.290] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.290] lstrlenW (lpString=".docx") returned 5 [0086.290] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.290] lstrlenW (lpString=".pdf") returned 4 [0086.290] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.290] lstrlenW (lpString=".xls") returned 4 [0086.291] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.291] lstrlenW (lpString=".xlsx") returned 5 [0086.291] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.291] lstrlenW (lpString=".ppt") returned 4 [0086.291] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.291] lstrlenW (lpString=".zip") returned 4 [0086.291] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.291] lstrlenW (lpString=".rar") returned 4 [0086.291] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.291] lstrlenW (lpString=".bz2") returned 4 [0086.291] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.291] lstrlenW (lpString=".7z") returned 3 [0086.291] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.291] lstrlenW (lpString=".dbf") returned 4 [0086.291] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.291] lstrlenW (lpString=".1cd") returned 4 [0086.291] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.291] lstrlenW (lpString=".jpg") returned 4 [0086.291] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.292] lstrlenW (lpString=".doc") returned 4 [0086.292] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0086.292] lstrlenW (lpString=".docx") returned 5 [0086.292] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0086.292] lstrlenW (lpString=".pdf") returned 4 [0086.292] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0086.292] lstrlenW (lpString=".xls") returned 4 [0086.292] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0086.292] lstrlenW (lpString=".xlsx") returned 5 [0086.292] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0086.292] lstrlenW (lpString=".ppt") returned 4 [0086.292] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0086.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.292] lstrlenW (lpString=".zip") returned 4 [0086.292] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0086.292] lstrlenW (lpString=".rar") returned 4 [0086.292] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0086.292] lstrlenW (lpString=".bz2") returned 4 [0086.292] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0086.292] lstrlenW (lpString=".7z") returned 3 [0086.292] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0086.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.292] lstrlenW (lpString=".dbf") returned 4 [0086.292] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0086.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.292] lstrlenW (lpString=".1cd") returned 4 [0086.292] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0086.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0086.293] lstrlenW (lpString=".jpg") returned 4 [0086.293] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0086.293] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.293] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.293] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=15737) returned 1 [0086.293] CloseHandle (hObject=0x1e8) returned 1 [0086.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0086.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0086.294] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.294] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0086.294] GetLastError () returned 0x0 [0086.294] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0086.536] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0086.538] ReadFile (in: hFile=0x1e8, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.538] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.538] SetEndOfFile (hFile=0x210) returned 1 [0086.538] CloseHandle (hObject=0x210) returned 1 [0086.539] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.539] SetEndOfFile (hFile=0x1e8) returned 1 [0086.549] CloseHandle (hObject=0x1e8) returned 1 [0086.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0086.549] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0086.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.550] lstrlenW (lpString=".doc") returned 4 [0086.550] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.550] lstrlenW (lpString=".docx") returned 5 [0086.550] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.550] lstrlenW (lpString=".pdf") returned 4 [0086.550] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.550] lstrlenW (lpString=".xls") returned 4 [0086.550] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.550] lstrlenW (lpString=".xlsx") returned 5 [0086.550] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.550] lstrlenW (lpString=".ppt") returned 4 [0086.550] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.550] lstrlenW (lpString=".zip") returned 4 [0086.550] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.550] lstrlenW (lpString=".rar") returned 4 [0086.550] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.550] lstrlenW (lpString=".bz2") returned 4 [0086.550] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.550] lstrlenW (lpString=".7z") returned 3 [0086.550] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.550] lstrlenW (lpString=".dbf") returned 4 [0086.550] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.550] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.550] lstrlenW (lpString=".1cd") returned 4 [0086.550] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.551] lstrlenW (lpString=".jpg") returned 4 [0086.551] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.551] lstrlenW (lpString=".doc") returned 4 [0086.551] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0086.551] lstrlenW (lpString=".docx") returned 5 [0086.551] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0086.551] lstrlenW (lpString=".pdf") returned 4 [0086.551] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0086.551] lstrlenW (lpString=".xls") returned 4 [0086.551] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0086.551] lstrlenW (lpString=".xlsx") returned 5 [0086.551] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0086.551] lstrlenW (lpString=".ppt") returned 4 [0086.551] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0086.551] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.551] lstrlenW (lpString=".zip") returned 4 [0086.551] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0086.551] lstrlenW (lpString=".rar") returned 4 [0086.551] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0086.551] lstrlenW (lpString=".bz2") returned 4 [0086.551] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0086.551] lstrlenW (lpString=".7z") returned 3 [0086.552] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0086.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.552] lstrlenW (lpString=".dbf") returned 4 [0086.552] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0086.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.552] lstrlenW (lpString=".1cd") returned 4 [0086.552] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0086.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0086.552] lstrlenW (lpString=".jpg") returned 4 [0086.552] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0086.552] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0086.552] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0086.552] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0087.665] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=53115) returned 1 [0087.665] CloseHandle (hObject=0x200) returned 1 [0087.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0087.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0087.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0087.666] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.666] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.667] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0087.677] GetLastError () returned 0x0 [0087.677] ReadFile (in: hFile=0x214, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0088.056] WriteFile (in: hFile=0x1c8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0088.058] ReadFile (in: hFile=0x214, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0088.058] WriteFile (in: hFile=0x1c8, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0088.058] SetEndOfFile (hFile=0x1c8) returned 1 [0088.058] CloseHandle (hObject=0x1c8) returned 1 [0088.058] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.058] SetEndOfFile (hFile=0x214) returned 1 [0088.059] CloseHandle (hObject=0x214) returned 1 [0088.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0088.060] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString=".doc") returned 4 [0088.061] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString=".docx") returned 5 [0088.061] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0088.061] lstrlenW (lpString=".pdf") returned 4 [0088.061] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString=".xls") returned 4 [0088.061] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0088.061] lstrlenW (lpString=".xlsx") returned 5 [0088.061] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0088.061] lstrlenW (lpString=".ppt") returned 4 [0088.061] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString=".zip") returned 4 [0088.061] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0088.061] lstrlenW (lpString=".rar") returned 4 [0088.061] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0088.061] lstrlenW (lpString=".bz2") returned 4 [0088.061] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString=".7z") returned 3 [0088.061] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString=".dbf") returned 4 [0088.061] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString=".1cd") returned 4 [0088.061] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.061] lstrlenW (lpString=".jpg") returned 4 [0088.061] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0088.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString=".doc") returned 4 [0088.062] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0088.062] lstrlenW (lpString=".docx") returned 5 [0088.062] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0088.062] lstrlenW (lpString=".pdf") returned 4 [0088.062] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0088.062] lstrlenW (lpString=".xls") returned 4 [0088.062] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0088.062] lstrlenW (lpString=".xlsx") returned 5 [0088.062] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0088.062] lstrlenW (lpString=".ppt") returned 4 [0088.062] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0088.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString=".zip") returned 4 [0088.062] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0088.062] lstrlenW (lpString=".rar") returned 4 [0088.062] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0088.062] lstrlenW (lpString=".bz2") returned 4 [0088.062] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0088.062] lstrlenW (lpString=".7z") returned 3 [0088.062] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0088.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString=".dbf") returned 4 [0088.062] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0088.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString=".1cd") returned 4 [0088.062] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0088.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0088.062] lstrlenW (lpString=".jpg") returned 4 [0088.062] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0088.063] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0088.063] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0088.063] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0088.225] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=29305) returned 1 [0088.225] CloseHandle (hObject=0x1cc) returned 1 [0088.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0088.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0088.290] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.290] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0088.291] GetLastError () returned 0x0 [0088.291] ReadFile (in: hFile=0x210, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x7279, lpOverlapped=0x0) returned 1 [0088.586] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x7280, lpOverlapped=0x0) returned 1 [0088.588] ReadFile (in: hFile=0x210, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0088.588] WriteFile (in: hFile=0x1f4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0088.588] SetEndOfFile (hFile=0x1f4) returned 1 [0088.588] CloseHandle (hObject=0x1f4) returned 1 [0088.588] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.588] SetEndOfFile (hFile=0x210) returned 1 [0088.589] CloseHandle (hObject=0x210) returned 1 [0088.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0088.589] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString=".doc") returned 4 [0088.590] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0088.590] lstrlenW (lpString=".docx") returned 5 [0088.590] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0088.590] lstrlenW (lpString=".pdf") returned 4 [0088.590] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0088.590] lstrlenW (lpString=".xls") returned 4 [0088.590] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0088.590] lstrlenW (lpString=".xlsx") returned 5 [0088.590] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0088.590] lstrlenW (lpString=".ppt") returned 4 [0088.590] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString=".zip") returned 4 [0088.590] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0088.590] lstrlenW (lpString=".rar") returned 4 [0088.590] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0088.590] lstrlenW (lpString=".bz2") returned 4 [0088.590] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0088.590] lstrlenW (lpString=".7z") returned 3 [0088.590] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString=".dbf") returned 4 [0088.590] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString=".1cd") returned 4 [0088.590] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0088.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.590] lstrlenW (lpString=".jpg") returned 4 [0088.590] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString=".doc") returned 4 [0088.591] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString=".docx") returned 5 [0088.591] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0088.591] lstrlenW (lpString=".pdf") returned 4 [0088.591] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString=".xls") returned 4 [0088.591] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0088.591] lstrlenW (lpString=".xlsx") returned 5 [0088.591] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0088.591] lstrlenW (lpString=".ppt") returned 4 [0088.591] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString=".zip") returned 4 [0088.591] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0088.591] lstrlenW (lpString=".rar") returned 4 [0088.591] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0088.591] lstrlenW (lpString=".bz2") returned 4 [0088.591] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString=".7z") returned 3 [0088.591] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString=".dbf") returned 4 [0088.591] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString=".1cd") returned 4 [0088.591] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0088.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0088.591] lstrlenW (lpString=".jpg") returned 4 [0088.591] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0088.592] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0088.592] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0088.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0088.629] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2209) returned 1 [0088.629] CloseHandle (hObject=0x1f4) returned 1 [0088.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0088.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0088.631] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.631] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0089.725] GetLastError () returned 0x0 [0089.725] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x8a1, lpOverlapped=0x0) returned 1 [0089.750] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0089.752] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.752] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0089.752] SetEndOfFile (hFile=0x1d4) returned 1 [0089.752] CloseHandle (hObject=0x1d4) returned 1 [0089.752] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.752] SetEndOfFile (hFile=0x1f4) returned 1 [0089.753] CloseHandle (hObject=0x1f4) returned 1 [0089.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.754] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0089.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.754] lstrlenW (lpString=".doc") returned 4 [0089.754] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.754] lstrlenW (lpString=".docx") returned 5 [0089.754] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.754] lstrlenW (lpString=".pdf") returned 4 [0089.754] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString=".xls") returned 4 [0089.755] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString=".xlsx") returned 5 [0089.755] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.755] lstrlenW (lpString=".ppt") returned 4 [0089.755] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString=".zip") returned 4 [0089.755] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString=".rar") returned 4 [0089.755] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString=".bz2") returned 4 [0089.755] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.755] lstrlenW (lpString=".7z") returned 3 [0089.755] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString=".dbf") returned 4 [0089.755] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString=".1cd") returned 4 [0089.755] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString=".jpg") returned 4 [0089.755] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.755] lstrlenW (lpString=".doc") returned 4 [0089.755] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.756] lstrlenW (lpString=".docx") returned 5 [0089.756] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.756] lstrlenW (lpString=".pdf") returned 4 [0089.756] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.756] lstrlenW (lpString=".xls") returned 4 [0089.756] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.756] lstrlenW (lpString=".xlsx") returned 5 [0089.756] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.756] lstrlenW (lpString=".ppt") returned 4 [0089.756] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.756] lstrlenW (lpString=".zip") returned 4 [0089.756] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.756] lstrlenW (lpString=".rar") returned 4 [0089.756] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.756] lstrlenW (lpString=".bz2") returned 4 [0089.756] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.756] lstrlenW (lpString=".7z") returned 3 [0089.756] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.756] lstrlenW (lpString=".dbf") returned 4 [0089.756] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.756] lstrlenW (lpString=".1cd") returned 4 [0089.756] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0089.756] lstrlenW (lpString=".jpg") returned 4 [0089.756] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.757] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0089.757] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0089.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.757] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=2527) returned 1 [0089.757] CloseHandle (hObject=0x1f4) returned 1 [0089.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0089.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.758] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.758] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0089.760] GetLastError () returned 0x0 [0089.760] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x9df, lpOverlapped=0x0) returned 1 [0089.762] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0089.763] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.763] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0089.763] SetEndOfFile (hFile=0x1d4) returned 1 [0089.764] CloseHandle (hObject=0x1d4) returned 1 [0089.764] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.764] SetEndOfFile (hFile=0x1f4) returned 1 [0089.765] CloseHandle (hObject=0x1f4) returned 1 [0089.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.765] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0089.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.765] lstrlenW (lpString=".doc") returned 4 [0089.766] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.766] lstrlenW (lpString=".docx") returned 5 [0089.766] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.766] lstrlenW (lpString=".pdf") returned 4 [0089.766] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.766] lstrlenW (lpString=".xls") returned 4 [0089.766] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.766] lstrlenW (lpString=".xlsx") returned 5 [0089.766] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.766] lstrlenW (lpString=".ppt") returned 4 [0089.766] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.766] lstrlenW (lpString=".zip") returned 4 [0089.766] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.766] lstrlenW (lpString=".rar") returned 4 [0089.766] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.766] lstrlenW (lpString=".bz2") returned 4 [0089.766] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.766] lstrlenW (lpString=".7z") returned 3 [0089.766] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.766] lstrlenW (lpString=".dbf") returned 4 [0089.766] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.766] lstrlenW (lpString=".1cd") returned 4 [0089.766] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.766] lstrlenW (lpString=".jpg") returned 4 [0089.766] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.767] lstrlenW (lpString=".doc") returned 4 [0089.767] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0089.767] lstrlenW (lpString=".docx") returned 5 [0089.767] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0089.767] lstrlenW (lpString=".pdf") returned 4 [0089.767] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString=".xls") returned 4 [0089.767] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString=".xlsx") returned 5 [0089.767] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0089.767] lstrlenW (lpString=".ppt") returned 4 [0089.767] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.767] lstrlenW (lpString=".zip") returned 4 [0089.767] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString=".rar") returned 4 [0089.767] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0089.767] lstrlenW (lpString=".bz2") returned 4 [0089.767] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0089.767] lstrlenW (lpString=".7z") returned 3 [0089.767] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.767] lstrlenW (lpString=".dbf") returned 4 [0089.767] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.767] lstrlenW (lpString=".1cd") returned 4 [0089.767] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0089.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0089.768] lstrlenW (lpString=".jpg") returned 4 [0089.768] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0089.768] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0089.768] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0089.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.769] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=19525) returned 1 [0089.769] CloseHandle (hObject=0x1f4) returned 1 [0089.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 0x20 [0089.769] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.769] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.769] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.770] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0089.770] GetLastError () returned 0x0 [0089.770] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x4c45, lpOverlapped=0x0) returned 1 [0089.772] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0089.774] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.774] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0089.774] SetEndOfFile (hFile=0x1d4) returned 1 [0089.774] CloseHandle (hObject=0x1d4) returned 1 [0089.774] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.774] SetEndOfFile (hFile=0x1f4) returned 1 [0089.775] CloseHandle (hObject=0x1f4) returned 1 [0089.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0089.776] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0089.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.776] lstrlenW (lpString=".doc") returned 4 [0089.776] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.776] lstrlenW (lpString=".docx") returned 5 [0089.776] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.776] lstrlenW (lpString=".pdf") returned 4 [0089.776] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.776] lstrlenW (lpString=".xls") returned 4 [0089.776] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.776] lstrlenW (lpString=".xlsx") returned 5 [0089.776] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.776] lstrlenW (lpString=".ppt") returned 4 [0089.776] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.776] lstrlenW (lpString=".zip") returned 4 [0089.776] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.776] lstrlenW (lpString=".rar") returned 4 [0089.776] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.776] lstrlenW (lpString=".bz2") returned 4 [0089.776] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString=".7z") returned 3 [0089.777] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString=".dbf") returned 4 [0089.777] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString=".1cd") returned 4 [0089.777] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString=".jpg") returned 4 [0089.777] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString=".doc") returned 4 [0089.777] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString=".docx") returned 5 [0089.777] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0089.777] lstrlenW (lpString=".pdf") returned 4 [0089.777] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0089.777] lstrlenW (lpString=".xls") returned 4 [0089.777] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0089.777] lstrlenW (lpString=".xlsx") returned 5 [0089.777] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0089.777] lstrlenW (lpString=".ppt") returned 4 [0089.777] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0089.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.777] lstrlenW (lpString=".zip") returned 4 [0089.777] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0089.777] lstrlenW (lpString=".rar") returned 4 [0089.778] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0089.778] lstrlenW (lpString=".bz2") returned 4 [0089.778] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0089.778] lstrlenW (lpString=".7z") returned 3 [0089.778] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0089.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.778] lstrlenW (lpString=".dbf") returned 4 [0089.778] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0089.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.778] lstrlenW (lpString=".1cd") returned 4 [0089.778] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0089.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0089.778] lstrlenW (lpString=".jpg") returned 4 [0089.778] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0089.778] lstrcmpiW (lpString1=".GIF", lpString2=".mnbzr") returned -1 [0089.778] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0089.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.779] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=1737) returned 1 [0089.779] CloseHandle (hObject=0x1f4) returned 1 [0089.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0089.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0089.779] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.779] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0089.782] GetLastError () returned 0x0 [0089.782] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x6c9, lpOverlapped=0x0) returned 1 [0090.178] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0090.180] ReadFile (in: hFile=0x1f4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.180] WriteFile (in: hFile=0x1d4, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0090.180] SetEndOfFile (hFile=0x1d4) returned 1 [0090.180] CloseHandle (hObject=0x1d4) returned 1 [0090.180] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.180] SetEndOfFile (hFile=0x1f4) returned 1 [0090.181] CloseHandle (hObject=0x1f4) returned 1 [0090.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.182] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0090.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.182] lstrlenW (lpString=".doc") returned 4 [0090.182] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0090.182] lstrlenW (lpString=".docx") returned 5 [0090.182] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0090.182] lstrlenW (lpString=".pdf") returned 4 [0090.182] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0090.182] lstrlenW (lpString=".xls") returned 4 [0090.182] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0090.182] lstrlenW (lpString=".xlsx") returned 5 [0090.182] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0090.182] lstrlenW (lpString=".ppt") returned 4 [0090.182] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0090.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.182] lstrlenW (lpString=".zip") returned 4 [0090.182] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0090.182] lstrlenW (lpString=".rar") returned 4 [0090.182] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0090.183] lstrlenW (lpString=".bz2") returned 4 [0090.183] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0090.183] lstrlenW (lpString=".7z") returned 3 [0090.183] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.183] lstrlenW (lpString=".dbf") returned 4 [0090.183] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.183] lstrlenW (lpString=".1cd") returned 4 [0090.183] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.183] lstrlenW (lpString=".jpg") returned 4 [0090.183] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.183] lstrlenW (lpString=".doc") returned 4 [0090.183] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0090.183] lstrlenW (lpString=".docx") returned 5 [0090.183] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0090.183] lstrlenW (lpString=".pdf") returned 4 [0090.183] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0090.183] lstrlenW (lpString=".xls") returned 4 [0090.183] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0090.183] lstrlenW (lpString=".xlsx") returned 5 [0090.183] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0090.183] lstrlenW (lpString=".ppt") returned 4 [0090.183] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0090.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.184] lstrlenW (lpString=".zip") returned 4 [0090.184] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0090.184] lstrlenW (lpString=".rar") returned 4 [0090.184] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0090.184] lstrlenW (lpString=".bz2") returned 4 [0090.184] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0090.184] lstrlenW (lpString=".7z") returned 3 [0090.184] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0090.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.184] lstrlenW (lpString=".dbf") returned 4 [0090.184] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0090.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.184] lstrlenW (lpString=".1cd") returned 4 [0090.184] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0090.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0090.184] lstrlenW (lpString=".jpg") returned 4 [0090.184] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0090.184] lstrcmpiW (lpString1=".PNG", lpString2=".mnbzr") returned 1 [0090.184] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0090.184] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.429] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=42453) returned 1 [0090.429] CloseHandle (hObject=0x1e4) returned 1 [0090.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 0x20 [0090.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.430] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.430] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.453] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.453] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0090.454] GetLastError () returned 0x0 [0090.454] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0090.460] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0090.461] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.462] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0090.462] SetEndOfFile (hFile=0x210) returned 1 [0090.462] CloseHandle (hObject=0x210) returned 1 [0090.462] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.462] SetEndOfFile (hFile=0x1e4) returned 1 [0090.463] CloseHandle (hObject=0x1e4) returned 1 [0090.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.463] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString=".doc") returned 4 [0090.464] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString=".docx") returned 5 [0090.464] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.464] lstrlenW (lpString=".pdf") returned 4 [0090.464] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString=".xls") returned 4 [0090.464] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.464] lstrlenW (lpString=".xlsx") returned 5 [0090.464] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.464] lstrlenW (lpString=".ppt") returned 4 [0090.464] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString=".zip") returned 4 [0090.464] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.464] lstrlenW (lpString=".rar") returned 4 [0090.464] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.464] lstrlenW (lpString=".bz2") returned 4 [0090.464] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString=".7z") returned 3 [0090.464] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString=".dbf") returned 4 [0090.464] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString=".1cd") returned 4 [0090.464] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString=".jpg") returned 4 [0090.464] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.465] lstrlenW (lpString=".doc") returned 4 [0090.465] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0090.465] lstrlenW (lpString=".docx") returned 5 [0090.465] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0090.465] lstrlenW (lpString=".pdf") returned 4 [0090.465] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0090.465] lstrlenW (lpString=".xls") returned 4 [0090.465] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0090.465] lstrlenW (lpString=".xlsx") returned 5 [0090.465] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0090.465] lstrlenW (lpString=".ppt") returned 4 [0090.465] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0090.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.465] lstrlenW (lpString=".zip") returned 4 [0090.465] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0090.465] lstrlenW (lpString=".rar") returned 4 [0090.465] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0090.465] lstrlenW (lpString=".bz2") returned 4 [0090.465] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0090.465] lstrlenW (lpString=".7z") returned 3 [0090.465] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0090.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.465] lstrlenW (lpString=".dbf") returned 4 [0090.465] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0090.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.465] lstrlenW (lpString=".1cd") returned 4 [0090.465] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0090.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0090.465] lstrlenW (lpString=".jpg") returned 4 [0090.465] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0090.465] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.466] lstrlenW (lpString="VBENDF98.CHM") returned 12 [0090.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.466] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=72031) returned 1 [0090.467] CloseHandle (hObject=0x1e4) returned 1 [0090.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 0x20 [0090.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.467] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.467] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0090.467] GetLastError () returned 0x0 [0090.467] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x1195f, lpOverlapped=0x0) returned 1 [0090.492] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0x11960, lpOverlapped=0x0) returned 1 [0090.494] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.494] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0090.494] SetEndOfFile (hFile=0x210) returned 1 [0090.495] CloseHandle (hObject=0x210) returned 1 [0090.495] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.495] SetEndOfFile (hFile=0x1e4) returned 1 [0090.496] CloseHandle (hObject=0x1e4) returned 1 [0090.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.496] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString=".doc") returned 4 [0090.497] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString=".docx") returned 5 [0090.497] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0090.497] lstrlenW (lpString=".pdf") returned 4 [0090.497] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString=".xls") returned 4 [0090.497] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString=".xlsx") returned 5 [0090.497] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0090.497] lstrlenW (lpString=".ppt") returned 4 [0090.497] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString=".zip") returned 4 [0090.497] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString=".rar") returned 4 [0090.497] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString=".bz2") returned 4 [0090.497] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.497] lstrlenW (lpString=".7z") returned 3 [0090.497] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString=".dbf") returned 4 [0090.497] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString=".1cd") returned 4 [0090.497] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.497] lstrlenW (lpString=".jpg") returned 4 [0090.497] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString=".doc") returned 4 [0090.498] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString=".docx") returned 5 [0090.498] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0090.498] lstrlenW (lpString=".pdf") returned 4 [0090.498] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString=".xls") returned 4 [0090.498] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString=".xlsx") returned 5 [0090.498] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0090.498] lstrlenW (lpString=".ppt") returned 4 [0090.498] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString=".zip") returned 4 [0090.498] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString=".rar") returned 4 [0090.498] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString=".bz2") returned 4 [0090.498] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.498] lstrlenW (lpString=".7z") returned 3 [0090.498] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString=".dbf") returned 4 [0090.498] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString=".1cd") returned 4 [0090.498] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0090.498] lstrlenW (lpString=".jpg") returned 4 [0090.498] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.498] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.499] lstrlenW (lpString="VBHW6.CHM") returned 9 [0090.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.499] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=58026) returned 1 [0090.499] CloseHandle (hObject=0x1e4) returned 1 [0090.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0090.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.499] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.499] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0090.500] GetLastError () returned 0x0 [0090.500] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0090.564] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0090.577] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0090.578] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0090.578] SetEndOfFile (hFile=0x210) returned 1 [0090.578] CloseHandle (hObject=0x210) returned 1 [0090.578] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.578] SetEndOfFile (hFile=0x1e4) returned 1 [0090.579] CloseHandle (hObject=0x1e4) returned 1 [0090.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0090.579] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0090.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.580] lstrlenW (lpString=".doc") returned 4 [0090.580] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString=".docx") returned 5 [0090.580] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.580] lstrlenW (lpString=".pdf") returned 4 [0090.580] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString=".xls") returned 4 [0090.580] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString=".xlsx") returned 5 [0090.580] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.580] lstrlenW (lpString=".ppt") returned 4 [0090.580] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.580] lstrlenW (lpString=".zip") returned 4 [0090.580] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString=".rar") returned 4 [0090.580] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.580] lstrlenW (lpString=".bz2") returned 4 [0090.580] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.580] lstrlenW (lpString=".7z") returned 3 [0090.580] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.580] lstrlenW (lpString=".dbf") returned 4 [0090.581] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.581] lstrlenW (lpString=".1cd") returned 4 [0090.581] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.581] lstrlenW (lpString=".jpg") returned 4 [0090.581] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.581] lstrlenW (lpString=".doc") returned 4 [0090.581] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString=".docx") returned 5 [0090.581] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0090.581] lstrlenW (lpString=".pdf") returned 4 [0090.581] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString=".xls") returned 4 [0090.581] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString=".xlsx") returned 5 [0090.581] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0090.581] lstrlenW (lpString=".ppt") returned 4 [0090.581] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0090.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.581] lstrlenW (lpString=".zip") returned 4 [0090.581] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0090.582] lstrlenW (lpString=".rar") returned 4 [0090.582] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0090.582] lstrlenW (lpString=".bz2") returned 4 [0090.582] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0090.582] lstrlenW (lpString=".7z") returned 3 [0090.582] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0090.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.582] lstrlenW (lpString=".dbf") returned 4 [0090.582] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0090.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.582] lstrlenW (lpString=".1cd") returned 4 [0090.582] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0090.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0090.582] lstrlenW (lpString=".jpg") returned 4 [0090.582] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0090.582] lstrcmpiW (lpString1=".CHM", lpString2=".mnbzr") returned -1 [0090.582] lstrlenW (lpString="VBLR6.CHM") returned 9 [0090.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.583] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=944994) returned 1 [0090.583] CloseHandle (hObject=0x1e4) returned 1 [0090.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 0x20 [0090.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0090.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0090.583] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.583] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0090.583] GetLastError () returned 0x0 [0090.583] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0090.608] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0092.752] ReadFile (in: hFile=0x1e4, lpBuffer=0x32d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesRead=0x2d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0092.752] WriteFile (in: hFile=0x210, lpBuffer=0x32d0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x32d0020*, lpNumberOfBytesWritten=0x2d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0092.752] SetEndOfFile (hFile=0x210) returned 1 [0092.752] CloseHandle (hObject=0x210) returned 1 [0092.753] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.753] SetEndOfFile (hFile=0x1e4) returned 1 [0092.763] CloseHandle (hObject=0x1e4) returned 1 [0092.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x20) returned 1 [0092.764] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0092.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.764] lstrlenW (lpString=".doc") returned 4 [0092.764] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0092.764] lstrlenW (lpString=".docx") returned 5 [0092.764] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0092.764] lstrlenW (lpString=".pdf") returned 4 [0092.764] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0092.764] lstrlenW (lpString=".xls") returned 4 [0092.764] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0092.764] lstrlenW (lpString=".xlsx") returned 5 [0092.764] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0092.764] lstrlenW (lpString=".ppt") returned 4 [0092.764] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0092.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.764] lstrlenW (lpString=".zip") returned 4 [0092.765] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString=".rar") returned 4 [0092.765] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString=".bz2") returned 4 [0092.765] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0092.765] lstrlenW (lpString=".7z") returned 3 [0092.765] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0092.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.765] lstrlenW (lpString=".dbf") returned 4 [0092.765] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.765] lstrlenW (lpString=".1cd") returned 4 [0092.765] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0092.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.765] lstrlenW (lpString=".jpg") returned 4 [0092.765] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.765] lstrlenW (lpString=".doc") returned 4 [0092.765] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString=".docx") returned 5 [0092.765] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0092.765] lstrlenW (lpString=".pdf") returned 4 [0092.765] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0092.765] lstrlenW (lpString=".xls") returned 4 [0092.765] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0092.766] lstrlenW (lpString=".xlsx") returned 5 [0092.766] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0092.766] lstrlenW (lpString=".ppt") returned 4 [0092.766] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0092.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.766] lstrlenW (lpString=".zip") returned 4 [0092.766] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0092.766] lstrlenW (lpString=".rar") returned 4 [0092.766] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0092.766] lstrlenW (lpString=".bz2") returned 4 [0092.766] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0092.766] lstrlenW (lpString=".7z") returned 3 [0092.766] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0092.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.766] lstrlenW (lpString=".dbf") returned 4 [0092.766] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0092.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.766] lstrlenW (lpString=".1cd") returned 4 [0092.766] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0092.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0092.766] lstrlenW (lpString=".jpg") returned 4 [0092.767] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0092.767] lstrcmpiW (lpString1=".inc", lpString2=".mnbzr") returned -1 [0092.767] lstrlenW (lpString="adojavas.inc") returned 12 [0092.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.104] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d5ff1c | out: lpFileSize=0x2d5ff1c*=14610) returned 1 [0093.104] CloseHandle (hObject=0x1f4) returned 1 [0093.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc")) returned 0x20 [0093.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.105] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.105] lstrlenW (lpString=".doc") returned 4 [0093.105] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.105] lstrlenW (lpString=".docx") returned 5 [0093.105] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.105] lstrlenW (lpString=".pdf") returned 4 [0093.105] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.105] lstrlenW (lpString=".xls") returned 4 [0093.105] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.105] lstrlenW (lpString=".xlsx") returned 5 [0093.105] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.105] lstrlenW (lpString=".ppt") returned 4 [0093.105] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.105] lstrlenW (lpString=".zip") returned 4 [0093.105] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.105] lstrlenW (lpString=".rar") returned 4 [0093.105] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.105] lstrlenW (lpString=".bz2") returned 4 [0093.105] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.105] lstrlenW (lpString=".7z") returned 3 [0093.105] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString=".dbf") returned 4 [0093.106] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString=".1cd") returned 4 [0093.106] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString=".jpg") returned 4 [0093.106] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString=".doc") returned 4 [0093.106] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0093.106] lstrlenW (lpString=".docx") returned 5 [0093.106] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0093.106] lstrlenW (lpString=".pdf") returned 4 [0093.106] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0093.106] lstrlenW (lpString=".xls") returned 4 [0093.106] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0093.106] lstrlenW (lpString=".xlsx") returned 5 [0093.106] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0093.106] lstrlenW (lpString=".ppt") returned 4 [0093.106] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0093.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.106] lstrlenW (lpString=".zip") returned 4 [0093.106] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0093.106] lstrlenW (lpString=".rar") returned 4 [0093.107] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0093.107] lstrlenW (lpString=".bz2") returned 4 [0093.107] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0093.107] lstrlenW (lpString=".7z") returned 3 [0093.107] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0093.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.107] lstrlenW (lpString=".dbf") returned 4 [0093.107] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0093.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.107] lstrlenW (lpString=".1cd") returned 4 [0093.107] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0093.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0093.107] lstrlenW (lpString=".jpg") returned 4 [0093.107] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0093.107] lstrcmpiW (lpString1=".wmv", lpString2=".mnbzr") returned 1 [0093.107] lstrlenW (lpString="flower_trans_RGB_PAL.wmv") returned 24 [0093.107] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 13 os_tid = 0x7c4 [0066.909] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x31f0058 [0066.909] lstrlenW (lpString="C:") returned 2 [0066.909] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2e9fd00 | out: lpFindFileData=0x2e9fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x2e06f0 [0066.910] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0066.910] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0066.910] lstrlenW (lpString="$Recycle.Bin") returned 12 [0066.910] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0066.910] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x3200060 [0066.910] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0066.910] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2e0730 [0066.911] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.911] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0066.911] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0066.911] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0066.911] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0066.911] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0066.911] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x3211070 [0066.912] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0066.912] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef70 [0066.912] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.912] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0066.912] lstrlenW (lpString="desktop.ini") returned 11 [0066.912] lstrlenW (lpString=".1cd") returned 4 [0066.912] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0066.912] lstrlenW (lpString=".3ds") returned 4 [0066.912] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0066.912] lstrlenW (lpString=".3fr") returned 4 [0066.912] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0066.912] lstrlenW (lpString=".3g2") returned 4 [0066.912] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0066.912] lstrlenW (lpString=".3gp") returned 4 [0066.912] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".7z") returned 3 [0066.913] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0066.913] lstrlenW (lpString=".accda") returned 6 [0066.913] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".accdb") returned 6 [0066.913] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".accdc") returned 6 [0066.913] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".accde") returned 6 [0066.913] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".accdt") returned 6 [0066.913] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".accdw") returned 6 [0066.913] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0066.913] lstrlenW (lpString=".adb") returned 4 [0066.913] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".adp") returned 4 [0066.913] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai") returned 3 [0066.913] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0066.913] lstrlenW (lpString=".ai3") returned 4 [0066.913] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai4") returned 4 [0066.913] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai5") returned 4 [0066.913] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai6") returned 4 [0066.913] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai7") returned 4 [0066.913] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".ai8") returned 4 [0066.913] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".anim") returned 5 [0066.913] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0066.913] lstrlenW (lpString=".arw") returned 4 [0066.913] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0066.913] lstrlenW (lpString=".as") returned 3 [0066.914] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0066.914] lstrlenW (lpString=".asa") returned 4 [0066.914] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".asc") returned 4 [0066.914] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".ascx") returned 5 [0066.914] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0066.914] lstrlenW (lpString=".asm") returned 4 [0066.914] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".asmx") returned 5 [0066.914] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0066.914] lstrlenW (lpString=".asp") returned 4 [0066.914] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".aspx") returned 5 [0066.914] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0066.914] lstrlenW (lpString=".asr") returned 4 [0066.914] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".asx") returned 4 [0066.914] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".avi") returned 4 [0066.914] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".avs") returned 4 [0066.914] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".backup") returned 7 [0066.914] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0066.914] lstrlenW (lpString=".bak") returned 4 [0066.914] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".bay") returned 4 [0066.914] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".bd") returned 3 [0066.914] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0066.914] lstrlenW (lpString=".bin") returned 4 [0066.914] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".bmp") returned 4 [0066.914] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0066.914] lstrlenW (lpString=".bz2") returned 4 [0066.915] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".c") returned 2 [0066.915] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0066.915] lstrlenW (lpString=".cdr") returned 4 [0066.915] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cer") returned 4 [0066.915] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cf") returned 3 [0066.915] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0066.915] lstrlenW (lpString=".cfc") returned 4 [0066.915] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cfm") returned 4 [0066.915] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cfml") returned 5 [0066.915] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0066.915] lstrlenW (lpString=".cfu") returned 4 [0066.915] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".chm") returned 4 [0066.915] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cin") returned 4 [0066.915] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".class") returned 6 [0066.915] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0066.915] lstrlenW (lpString=".clx") returned 4 [0066.915] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".config") returned 7 [0066.915] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0066.915] lstrlenW (lpString=".cpp") returned 4 [0066.915] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cr2") returned 4 [0066.915] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".crt") returned 4 [0066.915] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".crw") returned 4 [0066.915] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0066.915] lstrlenW (lpString=".cs") returned 3 [0066.916] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0066.916] lstrlenW (lpString=".css") returned 4 [0066.916] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".csv") returned 4 [0066.916] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".cub") returned 4 [0066.916] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dae") returned 4 [0066.916] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dat") returned 4 [0066.916] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".db") returned 3 [0066.916] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0066.916] lstrlenW (lpString=".dbf") returned 4 [0066.916] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dbx") returned 4 [0066.916] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dc3") returned 4 [0066.916] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dcm") returned 4 [0066.916] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dcr") returned 4 [0066.916] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".der") returned 4 [0066.916] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dib") returned 4 [0066.916] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dic") returned 4 [0066.916] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".dif") returned 4 [0066.916] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0066.916] lstrlenW (lpString=".divx") returned 5 [0066.916] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0066.916] lstrlenW (lpString=".djvu") returned 5 [0066.916] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".dng") returned 4 [0066.917] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".doc") returned 4 [0066.917] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".docm") returned 5 [0066.917] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".docx") returned 5 [0066.917] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".dot") returned 4 [0066.917] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dotm") returned 5 [0066.917] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".dotx") returned 5 [0066.917] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".dpx") returned 4 [0066.917] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dqy") returned 4 [0066.917] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dsn") returned 4 [0066.917] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dt") returned 3 [0066.917] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0066.917] lstrlenW (lpString=".dtd") returned 4 [0066.917] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dwg") returned 4 [0066.917] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dwt") returned 4 [0066.917] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".dx") returned 3 [0066.917] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0066.917] lstrlenW (lpString=".dxf") returned 4 [0066.917] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".edml") returned 5 [0066.917] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0066.917] lstrlenW (lpString=".efd") returned 4 [0066.917] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0066.917] lstrlenW (lpString=".elf") returned 4 [0066.918] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".emf") returned 4 [0066.918] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".emz") returned 4 [0066.918] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".epf") returned 4 [0066.918] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".eps") returned 4 [0066.918] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".epsf") returned 5 [0066.918] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0066.918] lstrlenW (lpString=".epsp") returned 5 [0066.918] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0066.918] lstrlenW (lpString=".erf") returned 4 [0066.918] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".exr") returned 4 [0066.918] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".f4v") returned 4 [0066.918] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".fido") returned 5 [0066.918] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0066.918] lstrlenW (lpString=".flm") returned 4 [0066.918] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".flv") returned 4 [0066.918] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".frm") returned 4 [0066.918] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".fxg") returned 4 [0066.918] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".geo") returned 4 [0066.918] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".gif") returned 4 [0066.918] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0066.918] lstrlenW (lpString=".grs") returned 4 [0066.918] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".gz") returned 3 [0066.919] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0066.919] lstrlenW (lpString=".h") returned 2 [0066.919] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0066.919] lstrlenW (lpString=".hdr") returned 4 [0066.919] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".hpp") returned 4 [0066.919] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".hta") returned 4 [0066.919] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".htc") returned 4 [0066.919] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".htm") returned 4 [0066.919] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".html") returned 5 [0066.919] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0066.919] lstrlenW (lpString=".icb") returned 4 [0066.919] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".ics") returned 4 [0066.919] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".iff") returned 4 [0066.919] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".inc") returned 4 [0066.919] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0066.919] lstrlenW (lpString=".indd") returned 5 [0066.919] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0066.919] lstrlenW (lpString=".ini") returned 4 [0066.920] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0066.920] lstrlenW (lpString="desktop.ini") returned 11 [0066.920] lstrlenW (lpString=".mnbzr") returned 6 [0066.920] lstrcmpiW (lpString1=".mnbzr", lpString2="op.ini") returned -1 [0066.920] lstrlenW (lpString="desktop.ini") returned 11 [0066.920] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0066.920] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0066.920] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0066.920] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0066.920] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0066.920] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0066.920] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0066.920] lstrcmpiW (lpString1="dmyurb.exe", lpString2="desktop.ini") returned 1 [0066.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0066.920] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0066.920] FindClose (in: hFindFile=0x2cef70 | out: hFindFile=0x2cef70) returned 1 [0066.920] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3211070 | out: hHeap=0x240000) returned 1 [0066.921] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0066.921] FindClose (in: hFindFile=0x2e0730 | out: hFindFile=0x2e0730) returned 1 [0066.921] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3200060 | out: hHeap=0x240000) returned 1 [0066.921] FindNextFileW (in: hFindFile=0x2e06f0, lpFindFileData=0x2e9fd00 | out: lpFindFileData=0x2e9fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0066.921] lstrlenW (lpString="C:\\Boot") returned 7 [0066.921] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0066.921] lstrlenW (lpString="Boot") returned 4 [0066.921] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0066.921] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x3200060 [0066.921] lstrlenW (lpString="C:\\Boot") returned 7 [0066.921] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2e0730 [0066.921] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.921] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0066.921] lstrlenW (lpString="BCD") returned 3 [0066.921] lstrlenW (lpString=".1cd") returned 4 [0066.922] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".3ds") returned 4 [0066.922] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".3fr") returned 4 [0066.922] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".3g2") returned 4 [0066.922] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".3gp") returned 4 [0066.922] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".7z") returned 3 [0066.922] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0066.922] lstrlenW (lpString=".accda") returned 6 [0066.922] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".accdb") returned 6 [0066.922] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".accdc") returned 6 [0066.922] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".accde") returned 6 [0066.922] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".accdt") returned 6 [0066.922] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".accdw") returned 6 [0066.922] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".adb") returned 4 [0066.922] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".adp") returned 4 [0066.922] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".ai") returned 3 [0066.922] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0066.922] lstrlenW (lpString=".ai3") returned 4 [0066.922] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".ai4") returned 4 [0066.922] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0066.922] lstrlenW (lpString=".ai5") returned 4 [0066.923] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".ai6") returned 4 [0066.923] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".ai7") returned 4 [0066.923] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".ai8") returned 4 [0066.923] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".anim") returned 5 [0066.923] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".arw") returned 4 [0066.923] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".as") returned 3 [0066.923] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0066.923] lstrlenW (lpString=".asa") returned 4 [0066.923] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asc") returned 4 [0066.923] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".ascx") returned 5 [0066.923] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asm") returned 4 [0066.923] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asmx") returned 5 [0066.923] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asp") returned 4 [0066.923] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".aspx") returned 5 [0066.923] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asr") returned 4 [0066.923] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".asx") returned 4 [0066.923] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".avi") returned 4 [0066.923] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0066.923] lstrlenW (lpString=".avs") returned 4 [0066.924] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".backup") returned 7 [0066.924] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".bak") returned 4 [0066.924] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".bay") returned 4 [0066.924] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".bd") returned 3 [0066.924] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0066.924] lstrlenW (lpString=".bin") returned 4 [0066.924] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".bmp") returned 4 [0066.924] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".bz2") returned 4 [0066.924] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".c") returned 2 [0066.924] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0066.924] lstrlenW (lpString=".cdr") returned 4 [0066.924] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cer") returned 4 [0066.924] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cf") returned 3 [0066.924] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0066.924] lstrlenW (lpString=".cfc") returned 4 [0066.924] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cfm") returned 4 [0066.924] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cfml") returned 5 [0066.924] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cfu") returned 4 [0066.924] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".chm") returned 4 [0066.924] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0066.924] lstrlenW (lpString=".cin") returned 4 [0066.925] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".class") returned 6 [0066.925] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".clx") returned 4 [0066.925] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".config") returned 7 [0066.925] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".cpp") returned 4 [0066.925] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".cr2") returned 4 [0066.925] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".crt") returned 4 [0066.925] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".crw") returned 4 [0066.925] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".cs") returned 3 [0066.925] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0066.925] lstrlenW (lpString=".css") returned 4 [0066.925] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".csv") returned 4 [0066.925] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".cub") returned 4 [0066.925] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".dae") returned 4 [0066.925] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".dat") returned 4 [0066.925] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".db") returned 3 [0066.925] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0066.925] lstrlenW (lpString=".dbf") returned 4 [0066.925] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".dbx") returned 4 [0066.925] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".dc3") returned 4 [0066.925] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0066.925] lstrlenW (lpString=".dcm") returned 4 [0066.925] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dcr") returned 4 [0066.926] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".der") returned 4 [0066.926] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dib") returned 4 [0066.926] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dic") returned 4 [0066.926] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dif") returned 4 [0066.926] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".divx") returned 5 [0066.926] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".djvu") returned 5 [0066.926] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dng") returned 4 [0066.926] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".doc") returned 4 [0066.926] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".docm") returned 5 [0066.926] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".docx") returned 5 [0066.926] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dot") returned 4 [0066.926] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dotm") returned 5 [0066.926] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dotx") returned 5 [0066.926] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dpx") returned 4 [0066.926] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dqy") returned 4 [0066.926] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dsn") returned 4 [0066.926] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0066.926] lstrlenW (lpString=".dt") returned 3 [0066.927] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0066.927] lstrlenW (lpString=".dtd") returned 4 [0066.927] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".dwg") returned 4 [0066.927] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".dwt") returned 4 [0066.927] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".dx") returned 3 [0066.927] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0066.927] lstrlenW (lpString=".dxf") returned 4 [0066.927] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".edml") returned 5 [0066.927] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".efd") returned 4 [0066.927] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".elf") returned 4 [0066.927] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".emf") returned 4 [0066.927] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".emz") returned 4 [0066.927] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".epf") returned 4 [0066.927] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".eps") returned 4 [0066.927] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".epsf") returned 5 [0066.927] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".epsp") returned 5 [0066.927] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".erf") returned 4 [0066.927] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0066.927] lstrlenW (lpString=".exr") returned 4 [0066.928] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".f4v") returned 4 [0066.928] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".fido") returned 5 [0066.928] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".flm") returned 4 [0066.928] lstrcmpiW (lpString1=".flm", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".flv") returned 4 [0066.928] lstrcmpiW (lpString1=".flv", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".frm") returned 4 [0066.928] lstrcmpiW (lpString1=".frm", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".fxg") returned 4 [0066.928] lstrcmpiW (lpString1=".fxg", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".geo") returned 4 [0066.928] lstrcmpiW (lpString1=".geo", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".gif") returned 4 [0066.928] lstrcmpiW (lpString1=".gif", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".grs") returned 4 [0066.928] lstrcmpiW (lpString1=".grs", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".gz") returned 3 [0066.928] lstrcmpiW (lpString1=".gz", lpString2="BCD") returned -1 [0066.928] lstrlenW (lpString=".h") returned 2 [0066.928] lstrcmpiW (lpString1=".h", lpString2="CD") returned -1 [0066.928] lstrlenW (lpString=".hdr") returned 4 [0066.928] lstrcmpiW (lpString1=".hdr", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".hpp") returned 4 [0066.928] lstrcmpiW (lpString1=".hpp", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".hta") returned 4 [0066.928] lstrcmpiW (lpString1=".hta", lpString2="") returned 1 [0066.928] lstrlenW (lpString=".htc") returned 4 [0066.928] lstrcmpiW (lpString1=".htc", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".htm") returned 4 [0066.929] lstrcmpiW (lpString1=".htm", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".html") returned 5 [0066.929] lstrcmpiW (lpString1=".html", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".icb") returned 4 [0066.929] lstrcmpiW (lpString1=".icb", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".ics") returned 4 [0066.929] lstrcmpiW (lpString1=".ics", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".iff") returned 4 [0066.929] lstrcmpiW (lpString1=".iff", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".inc") returned 4 [0066.929] lstrcmpiW (lpString1=".inc", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".indd") returned 5 [0066.929] lstrcmpiW (lpString1=".indd", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".ini") returned 4 [0066.929] lstrcmpiW (lpString1=".ini", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".iqy") returned 4 [0066.929] lstrcmpiW (lpString1=".iqy", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".j2c") returned 4 [0066.929] lstrcmpiW (lpString1=".j2c", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".j2k") returned 4 [0066.929] lstrcmpiW (lpString1=".j2k", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".java") returned 5 [0066.929] lstrcmpiW (lpString1=".java", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".jp2") returned 4 [0066.929] lstrcmpiW (lpString1=".jp2", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".jpc") returned 4 [0066.929] lstrcmpiW (lpString1=".jpc", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".jpe") returned 4 [0066.929] lstrcmpiW (lpString1=".jpe", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".jpeg") returned 5 [0066.929] lstrcmpiW (lpString1=".jpeg", lpString2="") returned 1 [0066.929] lstrlenW (lpString=".jpf") returned 4 [0066.929] lstrcmpiW (lpString1=".jpf", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".jpg") returned 4 [0066.930] lstrcmpiW (lpString1=".jpg", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".jpx") returned 4 [0066.930] lstrcmpiW (lpString1=".jpx", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".js") returned 3 [0066.930] lstrcmpiW (lpString1=".js", lpString2="BCD") returned -1 [0066.930] lstrlenW (lpString=".jsf") returned 4 [0066.930] lstrcmpiW (lpString1=".jsf", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".json") returned 5 [0066.930] lstrcmpiW (lpString1=".json", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".jsp") returned 4 [0066.930] lstrcmpiW (lpString1=".jsp", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".kdc") returned 4 [0066.930] lstrcmpiW (lpString1=".kdc", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".kmz") returned 4 [0066.930] lstrcmpiW (lpString1=".kmz", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".kwm") returned 4 [0066.930] lstrcmpiW (lpString1=".kwm", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".lasso") returned 6 [0066.930] lstrcmpiW (lpString1=".lasso", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".lbi") returned 4 [0066.930] lstrcmpiW (lpString1=".lbi", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".lgf") returned 4 [0066.930] lstrcmpiW (lpString1=".lgf", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".lgp") returned 4 [0066.930] lstrcmpiW (lpString1=".lgp", lpString2="") returned 1 [0066.930] lstrlenW (lpString=".log") returned 4 [0066.930] lstrcmpiW (lpString1=".log", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".m1v") returned 4 [0066.931] lstrcmpiW (lpString1=".m1v", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".m4a") returned 4 [0066.931] lstrcmpiW (lpString1=".m4a", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".m4v") returned 4 [0066.931] lstrcmpiW (lpString1=".m4v", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".max") returned 4 [0066.931] lstrcmpiW (lpString1=".max", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".md") returned 3 [0066.931] lstrcmpiW (lpString1=".md", lpString2="BCD") returned -1 [0066.931] lstrlenW (lpString=".mda") returned 4 [0066.931] lstrcmpiW (lpString1=".mda", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".mdb") returned 4 [0066.931] lstrcmpiW (lpString1=".mdb", lpString2="") returned 1 [0066.931] lstrlenW (lpString=".mde") returned 4 [0066.931] lstrcmpiW (lpString1=".mde", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mdf") returned 4 [0066.932] lstrcmpiW (lpString1=".mdf", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mdw") returned 4 [0066.932] lstrcmpiW (lpString1=".mdw", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mef") returned 4 [0066.932] lstrcmpiW (lpString1=".mef", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mft") returned 4 [0066.932] lstrcmpiW (lpString1=".mft", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mfw") returned 4 [0066.932] lstrcmpiW (lpString1=".mfw", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mht") returned 4 [0066.932] lstrcmpiW (lpString1=".mht", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mhtml") returned 6 [0066.932] lstrcmpiW (lpString1=".mhtml", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mka") returned 4 [0066.932] lstrcmpiW (lpString1=".mka", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mkidx") returned 6 [0066.932] lstrcmpiW (lpString1=".mkidx", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mkv") returned 4 [0066.932] lstrcmpiW (lpString1=".mkv", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mos") returned 4 [0066.932] lstrcmpiW (lpString1=".mos", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mov") returned 4 [0066.932] lstrcmpiW (lpString1=".mov", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mp3") returned 4 [0066.932] lstrcmpiW (lpString1=".mp3", lpString2="") returned 1 [0066.932] lstrlenW (lpString=".mp4") returned 4 [0066.933] lstrcmpiW (lpString1=".mp4", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".mpeg") returned 5 [0066.933] lstrcmpiW (lpString1=".mpeg", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".mpg") returned 4 [0066.933] lstrcmpiW (lpString1=".mpg", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".mpv") returned 4 [0066.933] lstrcmpiW (lpString1=".mpv", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".mrw") returned 4 [0066.933] lstrcmpiW (lpString1=".mrw", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".msg") returned 4 [0066.933] lstrcmpiW (lpString1=".msg", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".mxl") returned 4 [0066.933] lstrcmpiW (lpString1=".mxl", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".myd") returned 4 [0066.933] lstrcmpiW (lpString1=".myd", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".myi") returned 4 [0066.933] lstrcmpiW (lpString1=".myi", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".nef") returned 4 [0066.933] lstrcmpiW (lpString1=".nef", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".nrw") returned 4 [0066.933] lstrcmpiW (lpString1=".nrw", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".obj") returned 4 [0066.933] lstrcmpiW (lpString1=".obj", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".odb") returned 4 [0066.933] lstrcmpiW (lpString1=".odb", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".odc") returned 4 [0066.933] lstrcmpiW (lpString1=".odc", lpString2="") returned 1 [0066.933] lstrlenW (lpString=".odm") returned 4 [0066.934] lstrcmpiW (lpString1=".odm", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".odp") returned 4 [0066.934] lstrcmpiW (lpString1=".odp", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".ods") returned 4 [0066.934] lstrcmpiW (lpString1=".ods", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".oft") returned 4 [0066.934] lstrcmpiW (lpString1=".oft", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".one") returned 4 [0066.934] lstrcmpiW (lpString1=".one", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".onepkg") returned 7 [0066.934] lstrcmpiW (lpString1=".onepkg", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".onetoc2") returned 8 [0066.934] lstrcmpiW (lpString1=".onetoc2", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".opt") returned 4 [0066.934] lstrcmpiW (lpString1=".opt", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".oqy") returned 4 [0066.934] lstrcmpiW (lpString1=".oqy", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".orf") returned 4 [0066.934] lstrcmpiW (lpString1=".orf", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".p12") returned 4 [0066.934] lstrcmpiW (lpString1=".p12", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".p7b") returned 4 [0066.934] lstrcmpiW (lpString1=".p7b", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".p7c") returned 4 [0066.934] lstrcmpiW (lpString1=".p7c", lpString2="") returned 1 [0066.934] lstrlenW (lpString=".pam") returned 4 [0066.934] lstrcmpiW (lpString1=".pam", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pbm") returned 4 [0066.935] lstrcmpiW (lpString1=".pbm", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pct") returned 4 [0066.935] lstrcmpiW (lpString1=".pct", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pcx") returned 4 [0066.935] lstrcmpiW (lpString1=".pcx", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pdd") returned 4 [0066.935] lstrcmpiW (lpString1=".pdd", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pdf") returned 4 [0066.935] lstrcmpiW (lpString1=".pdf", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pdp") returned 4 [0066.935] lstrcmpiW (lpString1=".pdp", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pef") returned 4 [0066.935] lstrcmpiW (lpString1=".pef", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pem") returned 4 [0066.935] lstrcmpiW (lpString1=".pem", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pff") returned 4 [0066.935] lstrcmpiW (lpString1=".pff", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pfm") returned 4 [0066.935] lstrcmpiW (lpString1=".pfm", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pfx") returned 4 [0066.935] lstrcmpiW (lpString1=".pfx", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".pgm") returned 4 [0066.935] lstrcmpiW (lpString1=".pgm", lpString2="") returned 1 [0066.935] lstrlenW (lpString=".php") returned 4 [0066.935] lstrcmpiW (lpString1=".php", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".php3") returned 5 [0066.936] lstrcmpiW (lpString1=".php3", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".php4") returned 5 [0066.936] lstrcmpiW (lpString1=".php4", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".php5") returned 5 [0066.936] lstrcmpiW (lpString1=".php5", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".phtml") returned 6 [0066.936] lstrcmpiW (lpString1=".phtml", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".pict") returned 5 [0066.936] lstrcmpiW (lpString1=".pict", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".pl") returned 3 [0066.936] lstrcmpiW (lpString1=".pl", lpString2="BCD") returned -1 [0066.936] lstrlenW (lpString=".pls") returned 4 [0066.936] lstrcmpiW (lpString1=".pls", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".pm") returned 3 [0066.936] lstrcmpiW (lpString1=".pm", lpString2="BCD") returned -1 [0066.936] lstrlenW (lpString=".png") returned 4 [0066.936] lstrcmpiW (lpString1=".png", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".pnm") returned 4 [0066.936] lstrcmpiW (lpString1=".pnm", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".pot") returned 4 [0066.936] lstrcmpiW (lpString1=".pot", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".potm") returned 5 [0066.936] lstrcmpiW (lpString1=".potm", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".potx") returned 5 [0066.936] lstrcmpiW (lpString1=".potx", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".ppa") returned 4 [0066.936] lstrcmpiW (lpString1=".ppa", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".ppam") returned 5 [0066.936] lstrcmpiW (lpString1=".ppam", lpString2="") returned 1 [0066.936] lstrlenW (lpString=".ppm") returned 4 [0066.936] lstrcmpiW (lpString1=".ppm", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pps") returned 4 [0066.937] lstrcmpiW (lpString1=".pps", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".ppsm") returned 5 [0066.937] lstrcmpiW (lpString1=".ppsm", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".ppt") returned 4 [0066.937] lstrcmpiW (lpString1=".ppt", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pptm") returned 5 [0066.937] lstrcmpiW (lpString1=".pptm", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pptx") returned 5 [0066.937] lstrcmpiW (lpString1=".pptx", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".prn") returned 4 [0066.937] lstrcmpiW (lpString1=".prn", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".ps") returned 3 [0066.937] lstrcmpiW (lpString1=".ps", lpString2="BCD") returned -1 [0066.937] lstrlenW (lpString=".psb") returned 4 [0066.937] lstrcmpiW (lpString1=".psb", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".psd") returned 4 [0066.937] lstrcmpiW (lpString1=".psd", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pst") returned 4 [0066.937] lstrcmpiW (lpString1=".pst", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".ptx") returned 4 [0066.937] lstrcmpiW (lpString1=".ptx", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pub") returned 4 [0066.937] lstrcmpiW (lpString1=".pub", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pwm") returned 4 [0066.937] lstrcmpiW (lpString1=".pwm", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".pxr") returned 4 [0066.937] lstrcmpiW (lpString1=".pxr", lpString2="") returned 1 [0066.937] lstrlenW (lpString=".py") returned 3 [0066.937] lstrcmpiW (lpString1=".py", lpString2="BCD") returned -1 [0066.937] lstrlenW (lpString=".qt") returned 3 [0066.937] lstrcmpiW (lpString1=".qt", lpString2="BCD") returned -1 [0066.937] lstrlenW (lpString=".r3d") returned 4 [0066.937] lstrcmpiW (lpString1=".r3d", lpString2="") returned 1 [0066.938] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef70 [0066.940] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.940] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.940] FindClose (in: hFindFile=0x2cef70 | out: hFindFile=0x2cef70) returned 1 [0066.940] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.940] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0066.941] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef70 [0066.941] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.941] FindNextFileW (in: hFindFile=0x2cef70, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.941] FindClose (in: hFindFile=0x2cef70 | out: hFindFile=0x2cef70) returned 1 [0066.941] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.941] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0066.941] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.962] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.962] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.963] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.963] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.963] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0066.963] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.963] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.963] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.963] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.963] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.963] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0066.963] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.969] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.969] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.969] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.969] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.969] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0066.969] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.986] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.986] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.986] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.986] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.986] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0066.986] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.987] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.987] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0066.987] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.987] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.987] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0066.987] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0066.990] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0066.991] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0066.991] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0066.991] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0066.991] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0066.991] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.019] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.019] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.019] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.019] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.019] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0067.020] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.020] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.020] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.020] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.020] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.020] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0067.020] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.350] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.350] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.350] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.350] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.350] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0067.351] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.351] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.351] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.351] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.351] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.351] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0067.351] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.386] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.386] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.387] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.387] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.387] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0067.387] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cef00 [0067.387] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.387] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0067.387] FindClose (in: hFindFile=0x2cef00 | out: hFindFile=0x2cef00) returned 1 [0067.387] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3210068 | out: hHeap=0x240000) returned 1 [0067.387] FindNextFileW (in: hFindFile=0x2e0730, lpFindFileData=0x2e9fa84 | out: lpFindFileData=0x2e9fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0067.388] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cf018 [0067.459] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.459] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x2e9f808 | out: lpFindFileData=0x2e9f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0069.672] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf551ba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.672] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5b2ebe0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf551ba0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.XML", cAlternateFileName="PROJEC~1.XML")) returned 1 [0069.672] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".3ds") returned 4 [0069.673] lstrcmpiW (lpString1=".3ds", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".3fr") returned 4 [0069.673] lstrcmpiW (lpString1=".3fr", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".3g2") returned 4 [0069.673] lstrcmpiW (lpString1=".3g2", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".3gp") returned 4 [0069.673] lstrcmpiW (lpString1=".3gp", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".7z") returned 3 [0069.673] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0069.673] lstrlenW (lpString=".accda") returned 6 [0069.673] lstrcmpiW (lpString1=".accda", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".accdb") returned 6 [0069.673] lstrcmpiW (lpString1=".accdb", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".accdc") returned 6 [0069.673] lstrcmpiW (lpString1=".accdc", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".accde") returned 6 [0069.673] lstrcmpiW (lpString1=".accde", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".accdt") returned 6 [0069.673] lstrcmpiW (lpString1=".accdt", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".accdw") returned 6 [0069.673] lstrcmpiW (lpString1=".accdw", lpString2="UI.XML") returned -1 [0069.673] lstrlenW (lpString=".adb") returned 4 [0069.673] lstrcmpiW (lpString1=".adb", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".adp") returned 4 [0069.673] lstrcmpiW (lpString1=".adp", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".ai") returned 3 [0069.673] lstrcmpiW (lpString1=".ai", lpString2="XML") returned -1 [0069.673] lstrlenW (lpString=".ai3") returned 4 [0069.673] lstrcmpiW (lpString1=".ai3", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".ai4") returned 4 [0069.673] lstrcmpiW (lpString1=".ai4", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".ai5") returned 4 [0069.673] lstrcmpiW (lpString1=".ai5", lpString2=".XML") returned -1 [0069.673] lstrlenW (lpString=".ai6") returned 4 [0069.674] lstrcmpiW (lpString1=".ai6", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".ai7") returned 4 [0069.674] lstrcmpiW (lpString1=".ai7", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".ai8") returned 4 [0069.674] lstrcmpiW (lpString1=".ai8", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".anim") returned 5 [0069.674] lstrcmpiW (lpString1=".anim", lpString2="I.XML") returned -1 [0069.674] lstrlenW (lpString=".arw") returned 4 [0069.674] lstrcmpiW (lpString1=".arw", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".as") returned 3 [0069.674] lstrcmpiW (lpString1=".as", lpString2="XML") returned -1 [0069.674] lstrlenW (lpString=".asa") returned 4 [0069.674] lstrcmpiW (lpString1=".asa", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".asc") returned 4 [0069.674] lstrcmpiW (lpString1=".asc", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".ascx") returned 5 [0069.674] lstrcmpiW (lpString1=".ascx", lpString2="I.XML") returned -1 [0069.674] lstrlenW (lpString=".asm") returned 4 [0069.674] lstrcmpiW (lpString1=".asm", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".asmx") returned 5 [0069.674] lstrcmpiW (lpString1=".asmx", lpString2="I.XML") returned -1 [0069.674] lstrlenW (lpString=".asp") returned 4 [0069.674] lstrcmpiW (lpString1=".asp", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".aspx") returned 5 [0069.674] lstrcmpiW (lpString1=".aspx", lpString2="I.XML") returned -1 [0069.674] lstrlenW (lpString=".asr") returned 4 [0069.674] lstrcmpiW (lpString1=".asr", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".asx") returned 4 [0069.674] lstrcmpiW (lpString1=".asx", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".avi") returned 4 [0069.674] lstrcmpiW (lpString1=".avi", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".avs") returned 4 [0069.674] lstrcmpiW (lpString1=".avs", lpString2=".XML") returned -1 [0069.674] lstrlenW (lpString=".backup") returned 7 [0069.674] lstrcmpiW (lpString1=".backup", lpString2="MUI.XML") returned -1 [0069.675] lstrlenW (lpString=".bak") returned 4 [0069.675] lstrcmpiW (lpString1=".bak", lpString2=".XML") returned -1 [0069.675] lstrlenW (lpString=".bay") returned 4 [0069.675] lstrcmpiW (lpString1=".bay", lpString2=".XML") returned -1 [0069.675] lstrlenW (lpString=".bd") returned 3 [0069.691] lstrcmpiW (lpString1=".bd", lpString2="XML") returned -1 [0069.691] lstrlenW (lpString=".bin") returned 4 [0069.691] lstrcmpiW (lpString1=".bin", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".bmp") returned 4 [0069.691] lstrcmpiW (lpString1=".bmp", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".bz2") returned 4 [0069.691] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".c") returned 2 [0069.691] lstrcmpiW (lpString1=".c", lpString2="ML") returned -1 [0069.691] lstrlenW (lpString=".cdr") returned 4 [0069.691] lstrcmpiW (lpString1=".cdr", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".cer") returned 4 [0069.691] lstrcmpiW (lpString1=".cer", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".cf") returned 3 [0069.691] lstrcmpiW (lpString1=".cf", lpString2="XML") returned -1 [0069.691] lstrlenW (lpString=".cfc") returned 4 [0069.691] lstrcmpiW (lpString1=".cfc", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".cfm") returned 4 [0069.691] lstrcmpiW (lpString1=".cfm", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".cfml") returned 5 [0069.691] lstrcmpiW (lpString1=".cfml", lpString2="I.XML") returned -1 [0069.691] lstrlenW (lpString=".cfu") returned 4 [0069.691] lstrcmpiW (lpString1=".cfu", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".chm") returned 4 [0069.691] lstrcmpiW (lpString1=".chm", lpString2=".XML") returned -1 [0069.691] lstrlenW (lpString=".cin") returned 4 [0069.691] lstrcmpiW (lpString1=".cin", lpString2=".XML") returned -1 [0069.692] lstrlenW (lpString=".class") returned 6 [0069.692] lstrcmpiW (lpString1=".class", lpString2="UI.XML") returned -1 [0069.692] lstrlenW (lpString=".clx") returned 4 [0069.692] lstrcmpiW (lpString1=".clx", lpString2=".XML") returned -1 [0069.692] lstrlenW (lpString=".config") returned 7 [0069.692] lstrcmpiW (lpString1=".config", lpString2="MUI.XML") returned -1 [0069.692] lstrlenW (lpString=".cpp") returned 4 [0069.692] lstrcmpiW (lpString1=".cpp", lpString2=".XML") returned -1 [0069.692] lstrlenW (lpString=".cr2") returned 4 [0069.693] lstrcmpiW (lpString1=".cr2", lpString2=".XML") returned -1 [0069.703] lstrlenW (lpString=".crt") returned 4 [0069.703] lstrcmpiW (lpString1=".crt", lpString2=".XML") returned -1 [0069.703] lstrlenW (lpString=".crw") returned 4 [0069.703] lstrcmpiW (lpString1=".crw", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".cs") returned 3 [0069.704] lstrcmpiW (lpString1=".cs", lpString2="XML") returned -1 [0069.704] lstrlenW (lpString=".css") returned 4 [0069.704] lstrcmpiW (lpString1=".css", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".csv") returned 4 [0069.704] lstrcmpiW (lpString1=".csv", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".cub") returned 4 [0069.704] lstrcmpiW (lpString1=".cub", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dae") returned 4 [0069.704] lstrcmpiW (lpString1=".dae", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dat") returned 4 [0069.704] lstrcmpiW (lpString1=".dat", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".db") returned 3 [0069.704] lstrcmpiW (lpString1=".db", lpString2="XML") returned -1 [0069.704] lstrlenW (lpString=".dbf") returned 4 [0069.704] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dbx") returned 4 [0069.704] lstrcmpiW (lpString1=".dbx", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dc3") returned 4 [0069.704] lstrcmpiW (lpString1=".dc3", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dcm") returned 4 [0069.704] lstrcmpiW (lpString1=".dcm", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dcr") returned 4 [0069.704] lstrcmpiW (lpString1=".dcr", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".der") returned 4 [0069.704] lstrcmpiW (lpString1=".der", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dib") returned 4 [0069.704] lstrcmpiW (lpString1=".dib", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dic") returned 4 [0069.704] lstrcmpiW (lpString1=".dic", lpString2=".XML") returned -1 [0069.704] lstrlenW (lpString=".dif") returned 4 [0069.705] lstrcmpiW (lpString1=".dif", lpString2=".XML") returned -1 [0069.705] lstrlenW (lpString=".divx") returned 5 [0069.705] lstrcmpiW (lpString1=".divx", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".djvu") returned 5 [0069.705] lstrcmpiW (lpString1=".djvu", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".dng") returned 4 [0069.705] lstrcmpiW (lpString1=".dng", lpString2=".XML") returned -1 [0069.705] lstrlenW (lpString=".doc") returned 4 [0069.705] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0069.705] lstrlenW (lpString=".docm") returned 5 [0069.705] lstrcmpiW (lpString1=".docm", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".docx") returned 5 [0069.705] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".dot") returned 4 [0069.705] lstrcmpiW (lpString1=".dot", lpString2=".XML") returned -1 [0069.705] lstrlenW (lpString=".dotm") returned 5 [0069.705] lstrcmpiW (lpString1=".dotm", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".dotx") returned 5 [0069.705] lstrcmpiW (lpString1=".dotx", lpString2="I.XML") returned -1 [0069.705] lstrlenW (lpString=".dpx") returned 4 [0069.705] lstrcmpiW (lpString1=".dpx", lpString2=".XML") returned -1 [0069.705] lstrlenW (lpString=".dqy") returned 4 [0069.705] lstrcmpiW (lpString1=".dqy", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".dsn") returned 4 [0069.706] lstrcmpiW (lpString1=".dsn", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".dt") returned 3 [0069.706] lstrcmpiW (lpString1=".dt", lpString2="XML") returned -1 [0069.706] lstrlenW (lpString=".dtd") returned 4 [0069.706] lstrcmpiW (lpString1=".dtd", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".dwg") returned 4 [0069.706] lstrcmpiW (lpString1=".dwg", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".dwt") returned 4 [0069.706] lstrcmpiW (lpString1=".dwt", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".dx") returned 3 [0069.706] lstrcmpiW (lpString1=".dx", lpString2="XML") returned -1 [0069.706] lstrlenW (lpString=".dxf") returned 4 [0069.706] lstrcmpiW (lpString1=".dxf", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".edml") returned 5 [0069.706] lstrcmpiW (lpString1=".edml", lpString2="I.XML") returned -1 [0069.706] lstrlenW (lpString=".efd") returned 4 [0069.706] lstrcmpiW (lpString1=".efd", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".elf") returned 4 [0069.706] lstrcmpiW (lpString1=".elf", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".emf") returned 4 [0069.706] lstrcmpiW (lpString1=".emf", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".emz") returned 4 [0069.706] lstrcmpiW (lpString1=".emz", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".epf") returned 4 [0069.706] lstrcmpiW (lpString1=".epf", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".eps") returned 4 [0069.706] lstrcmpiW (lpString1=".eps", lpString2=".XML") returned -1 [0069.706] lstrlenW (lpString=".epsf") returned 5 [0069.706] lstrcmpiW (lpString1=".epsf", lpString2="I.XML") returned -1 [0069.706] lstrlenW (lpString=".epsp") returned 5 [0069.706] lstrcmpiW (lpString1=".epsp", lpString2="I.XML") returned -1 [0069.706] lstrlenW (lpString=".erf") returned 4 [0069.706] lstrcmpiW (lpString1=".erf", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".exr") returned 4 [0069.707] lstrcmpiW (lpString1=".exr", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".f4v") returned 4 [0069.707] lstrcmpiW (lpString1=".f4v", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".fido") returned 5 [0069.707] lstrcmpiW (lpString1=".fido", lpString2="I.XML") returned -1 [0069.707] lstrlenW (lpString=".flm") returned 4 [0069.707] lstrcmpiW (lpString1=".flm", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".flv") returned 4 [0069.707] lstrcmpiW (lpString1=".flv", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".frm") returned 4 [0069.707] lstrcmpiW (lpString1=".frm", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".fxg") returned 4 [0069.707] lstrcmpiW (lpString1=".fxg", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".geo") returned 4 [0069.707] lstrcmpiW (lpString1=".geo", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".gif") returned 4 [0069.707] lstrcmpiW (lpString1=".gif", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".grs") returned 4 [0069.707] lstrcmpiW (lpString1=".grs", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".gz") returned 3 [0069.707] lstrcmpiW (lpString1=".gz", lpString2="XML") returned -1 [0069.707] lstrlenW (lpString=".h") returned 2 [0069.707] lstrcmpiW (lpString1=".h", lpString2="ML") returned -1 [0069.707] lstrlenW (lpString=".hdr") returned 4 [0069.707] lstrcmpiW (lpString1=".hdr", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".hpp") returned 4 [0069.707] lstrcmpiW (lpString1=".hpp", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".hta") returned 4 [0069.707] lstrcmpiW (lpString1=".hta", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".htc") returned 4 [0069.707] lstrcmpiW (lpString1=".htc", lpString2=".XML") returned -1 [0069.707] lstrlenW (lpString=".htm") returned 4 [0069.707] lstrcmpiW (lpString1=".htm", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".html") returned 5 [0069.708] lstrcmpiW (lpString1=".html", lpString2="I.XML") returned -1 [0069.708] lstrlenW (lpString=".icb") returned 4 [0069.708] lstrcmpiW (lpString1=".icb", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".ics") returned 4 [0069.708] lstrcmpiW (lpString1=".ics", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".iff") returned 4 [0069.708] lstrcmpiW (lpString1=".iff", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".inc") returned 4 [0069.708] lstrcmpiW (lpString1=".inc", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".indd") returned 5 [0069.708] lstrcmpiW (lpString1=".indd", lpString2="I.XML") returned -1 [0069.708] lstrlenW (lpString=".ini") returned 4 [0069.708] lstrcmpiW (lpString1=".ini", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".iqy") returned 4 [0069.708] lstrcmpiW (lpString1=".iqy", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".j2c") returned 4 [0069.708] lstrcmpiW (lpString1=".j2c", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".j2k") returned 4 [0069.708] lstrcmpiW (lpString1=".j2k", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".java") returned 5 [0069.708] lstrcmpiW (lpString1=".java", lpString2="I.XML") returned -1 [0069.708] lstrlenW (lpString=".jp2") returned 4 [0069.708] lstrcmpiW (lpString1=".jp2", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".jpc") returned 4 [0069.708] lstrcmpiW (lpString1=".jpc", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".jpe") returned 4 [0069.708] lstrcmpiW (lpString1=".jpe", lpString2=".XML") returned -1 [0069.708] lstrlenW (lpString=".jpeg") returned 5 [0069.708] lstrcmpiW (lpString1=".jpeg", lpString2="I.XML") returned -1 [0069.708] lstrlenW (lpString=".jpf") returned 4 [0069.708] lstrcmpiW (lpString1=".jpf", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".jpg") returned 4 [0069.709] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".jpx") returned 4 [0069.709] lstrcmpiW (lpString1=".jpx", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".js") returned 3 [0069.709] lstrcmpiW (lpString1=".js", lpString2="XML") returned -1 [0069.709] lstrlenW (lpString=".jsf") returned 4 [0069.709] lstrcmpiW (lpString1=".jsf", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".json") returned 5 [0069.709] lstrcmpiW (lpString1=".json", lpString2="I.XML") returned -1 [0069.709] lstrlenW (lpString=".jsp") returned 4 [0069.709] lstrcmpiW (lpString1=".jsp", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".kdc") returned 4 [0069.709] lstrcmpiW (lpString1=".kdc", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".kmz") returned 4 [0069.709] lstrcmpiW (lpString1=".kmz", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".kwm") returned 4 [0069.709] lstrcmpiW (lpString1=".kwm", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".lasso") returned 6 [0069.709] lstrcmpiW (lpString1=".lasso", lpString2="UI.XML") returned -1 [0069.709] lstrlenW (lpString=".lbi") returned 4 [0069.709] lstrcmpiW (lpString1=".lbi", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".lgf") returned 4 [0069.709] lstrcmpiW (lpString1=".lgf", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".lgp") returned 4 [0069.709] lstrcmpiW (lpString1=".lgp", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".log") returned 4 [0069.709] lstrcmpiW (lpString1=".log", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".m1v") returned 4 [0069.709] lstrcmpiW (lpString1=".m1v", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".m4a") returned 4 [0069.709] lstrcmpiW (lpString1=".m4a", lpString2=".XML") returned -1 [0069.709] lstrlenW (lpString=".m4v") returned 4 [0069.709] lstrcmpiW (lpString1=".m4v", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".max") returned 4 [0069.710] lstrcmpiW (lpString1=".max", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".md") returned 3 [0069.710] lstrcmpiW (lpString1=".md", lpString2="XML") returned -1 [0069.710] lstrlenW (lpString=".mda") returned 4 [0069.710] lstrcmpiW (lpString1=".mda", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mdb") returned 4 [0069.710] lstrcmpiW (lpString1=".mdb", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mde") returned 4 [0069.710] lstrcmpiW (lpString1=".mde", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mdf") returned 4 [0069.710] lstrcmpiW (lpString1=".mdf", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mdw") returned 4 [0069.710] lstrcmpiW (lpString1=".mdw", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mef") returned 4 [0069.710] lstrcmpiW (lpString1=".mef", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mft") returned 4 [0069.710] lstrcmpiW (lpString1=".mft", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mfw") returned 4 [0069.710] lstrcmpiW (lpString1=".mfw", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mht") returned 4 [0069.710] lstrcmpiW (lpString1=".mht", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mhtml") returned 6 [0069.710] lstrcmpiW (lpString1=".mhtml", lpString2="UI.XML") returned -1 [0069.710] lstrlenW (lpString=".mka") returned 4 [0069.710] lstrcmpiW (lpString1=".mka", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mkidx") returned 6 [0069.710] lstrcmpiW (lpString1=".mkidx", lpString2="UI.XML") returned -1 [0069.710] lstrlenW (lpString=".mkv") returned 4 [0069.710] lstrcmpiW (lpString1=".mkv", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mos") returned 4 [0069.710] lstrcmpiW (lpString1=".mos", lpString2=".XML") returned -1 [0069.710] lstrlenW (lpString=".mov") returned 4 [0069.711] lstrcmpiW (lpString1=".mov", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mp3") returned 4 [0069.711] lstrcmpiW (lpString1=".mp3", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mp4") returned 4 [0069.711] lstrcmpiW (lpString1=".mp4", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mpeg") returned 5 [0069.711] lstrcmpiW (lpString1=".mpeg", lpString2="I.XML") returned -1 [0069.711] lstrlenW (lpString=".mpg") returned 4 [0069.711] lstrcmpiW (lpString1=".mpg", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mpv") returned 4 [0069.711] lstrcmpiW (lpString1=".mpv", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mrw") returned 4 [0069.711] lstrcmpiW (lpString1=".mrw", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".msg") returned 4 [0069.711] lstrcmpiW (lpString1=".msg", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".mxl") returned 4 [0069.711] lstrcmpiW (lpString1=".mxl", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".myd") returned 4 [0069.711] lstrcmpiW (lpString1=".myd", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".myi") returned 4 [0069.711] lstrcmpiW (lpString1=".myi", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".nef") returned 4 [0069.711] lstrcmpiW (lpString1=".nef", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".nrw") returned 4 [0069.711] lstrcmpiW (lpString1=".nrw", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".obj") returned 4 [0069.711] lstrcmpiW (lpString1=".obj", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".odb") returned 4 [0069.711] lstrcmpiW (lpString1=".odb", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".odc") returned 4 [0069.711] lstrcmpiW (lpString1=".odc", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".odm") returned 4 [0069.711] lstrcmpiW (lpString1=".odm", lpString2=".XML") returned -1 [0069.711] lstrlenW (lpString=".odp") returned 4 [0069.712] lstrcmpiW (lpString1=".odp", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".ods") returned 4 [0069.712] lstrcmpiW (lpString1=".ods", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".oft") returned 4 [0069.712] lstrcmpiW (lpString1=".oft", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".one") returned 4 [0069.712] lstrcmpiW (lpString1=".one", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".onepkg") returned 7 [0069.712] lstrcmpiW (lpString1=".onepkg", lpString2="MUI.XML") returned -1 [0069.712] lstrlenW (lpString=".onetoc2") returned 8 [0069.712] lstrcmpiW (lpString1=".onetoc2", lpString2="tMUI.XML") returned -1 [0069.712] lstrlenW (lpString=".opt") returned 4 [0069.712] lstrcmpiW (lpString1=".opt", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".oqy") returned 4 [0069.712] lstrcmpiW (lpString1=".oqy", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".orf") returned 4 [0069.712] lstrcmpiW (lpString1=".orf", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".p12") returned 4 [0069.712] lstrcmpiW (lpString1=".p12", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".p7b") returned 4 [0069.712] lstrcmpiW (lpString1=".p7b", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".p7c") returned 4 [0069.712] lstrcmpiW (lpString1=".p7c", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".pam") returned 4 [0069.712] lstrcmpiW (lpString1=".pam", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".pbm") returned 4 [0069.712] lstrcmpiW (lpString1=".pbm", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".pct") returned 4 [0069.712] lstrcmpiW (lpString1=".pct", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".pcx") returned 4 [0069.712] lstrcmpiW (lpString1=".pcx", lpString2=".XML") returned -1 [0069.712] lstrlenW (lpString=".pdd") returned 4 [0069.712] lstrcmpiW (lpString1=".pdd", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pdf") returned 4 [0069.713] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pdp") returned 4 [0069.713] lstrcmpiW (lpString1=".pdp", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pef") returned 4 [0069.713] lstrcmpiW (lpString1=".pef", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pem") returned 4 [0069.713] lstrcmpiW (lpString1=".pem", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pff") returned 4 [0069.713] lstrcmpiW (lpString1=".pff", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pfm") returned 4 [0069.713] lstrcmpiW (lpString1=".pfm", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pfx") returned 4 [0069.713] lstrcmpiW (lpString1=".pfx", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pgm") returned 4 [0069.713] lstrcmpiW (lpString1=".pgm", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".php") returned 4 [0069.713] lstrcmpiW (lpString1=".php", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".php3") returned 5 [0069.713] lstrcmpiW (lpString1=".php3", lpString2="I.XML") returned -1 [0069.713] lstrlenW (lpString=".php4") returned 5 [0069.713] lstrcmpiW (lpString1=".php4", lpString2="I.XML") returned -1 [0069.713] lstrlenW (lpString=".php5") returned 5 [0069.713] lstrcmpiW (lpString1=".php5", lpString2="I.XML") returned -1 [0069.713] lstrlenW (lpString=".phtml") returned 6 [0069.713] lstrcmpiW (lpString1=".phtml", lpString2="UI.XML") returned -1 [0069.713] lstrlenW (lpString=".pict") returned 5 [0069.713] lstrcmpiW (lpString1=".pict", lpString2="I.XML") returned -1 [0069.713] lstrlenW (lpString=".pl") returned 3 [0069.713] lstrcmpiW (lpString1=".pl", lpString2="XML") returned -1 [0069.713] lstrlenW (lpString=".pls") returned 4 [0069.713] lstrcmpiW (lpString1=".pls", lpString2=".XML") returned -1 [0069.713] lstrlenW (lpString=".pm") returned 3 [0069.713] lstrcmpiW (lpString1=".pm", lpString2="XML") returned -1 [0069.713] lstrlenW (lpString=".png") returned 4 [0069.713] lstrcmpiW (lpString1=".png", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".pnm") returned 4 [0069.714] lstrcmpiW (lpString1=".pnm", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".pot") returned 4 [0069.714] lstrcmpiW (lpString1=".pot", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".potm") returned 5 [0069.714] lstrcmpiW (lpString1=".potm", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".potx") returned 5 [0069.714] lstrcmpiW (lpString1=".potx", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".ppa") returned 4 [0069.714] lstrcmpiW (lpString1=".ppa", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".ppam") returned 5 [0069.714] lstrcmpiW (lpString1=".ppam", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".ppm") returned 4 [0069.714] lstrcmpiW (lpString1=".ppm", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".pps") returned 4 [0069.714] lstrcmpiW (lpString1=".pps", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".ppsm") returned 5 [0069.714] lstrcmpiW (lpString1=".ppsm", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".ppt") returned 4 [0069.714] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".pptm") returned 5 [0069.714] lstrcmpiW (lpString1=".pptm", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".pptx") returned 5 [0069.714] lstrcmpiW (lpString1=".pptx", lpString2="I.XML") returned -1 [0069.714] lstrlenW (lpString=".prn") returned 4 [0069.714] lstrcmpiW (lpString1=".prn", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".ps") returned 3 [0069.714] lstrcmpiW (lpString1=".ps", lpString2="XML") returned -1 [0069.714] lstrlenW (lpString=".psb") returned 4 [0069.714] lstrcmpiW (lpString1=".psb", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".psd") returned 4 [0069.714] lstrcmpiW (lpString1=".psd", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".pst") returned 4 [0069.714] lstrcmpiW (lpString1=".pst", lpString2=".XML") returned -1 [0069.714] lstrlenW (lpString=".ptx") returned 4 [0069.715] lstrcmpiW (lpString1=".ptx", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".pub") returned 4 [0069.715] lstrcmpiW (lpString1=".pub", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".pwm") returned 4 [0069.715] lstrcmpiW (lpString1=".pwm", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".pxr") returned 4 [0069.715] lstrcmpiW (lpString1=".pxr", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".py") returned 3 [0069.715] lstrcmpiW (lpString1=".py", lpString2="XML") returned -1 [0069.715] lstrlenW (lpString=".qt") returned 3 [0069.715] lstrcmpiW (lpString1=".qt", lpString2="XML") returned -1 [0069.715] lstrlenW (lpString=".r3d") returned 4 [0069.715] lstrcmpiW (lpString1=".r3d", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".raf") returned 4 [0069.715] lstrcmpiW (lpString1=".raf", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".rar") returned 4 [0069.715] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".raw") returned 4 [0069.715] lstrcmpiW (lpString1=".raw", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".rdf") returned 4 [0069.715] lstrcmpiW (lpString1=".rdf", lpString2=".XML") returned -1 [0069.715] lstrlenW (lpString=".rgbe") returned 5 [0069.715] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0069.716] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0069.716] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0069.716] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0069.729] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.731] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf01be3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0069.731] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0069.732] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0069.732] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0069.732] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.561] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.561] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e37e00, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0070.561] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.561] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.561] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0070.562] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.562] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.562] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2bd90c0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0070.562] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.562] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.562] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.en-us", cAlternateFileName="PROOFI~1.EN-")) returned 1 [0070.562] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.562] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.562] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.XML", cAlternateFileName="")) returned 1 [0070.562] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.563] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.563] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROPLUSR", cAlternateFileName="")) returned 1 [0070.563] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.678] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.678] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170fe40, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.XML", cAlternateFileName="PROPLU~1.XML")) returned 1 [0070.678] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.679] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.679] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher.en-us", cAlternateFileName="PUBLIS~1.EN-")) returned 1 [0070.679] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.680] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.680] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1ba9ab90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.XML", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0070.680] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.680] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.680] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cba0700, ftCreationTime.dwHighDateTime=0x1cb7664, ftLastAccessTime.dwLowDateTime=0xd78c2600, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8cba0700, ftLastWriteTime.dwHighDateTime=0x1cb7664, nFileSizeHigh=0x0, nFileSizeLow=0x150378, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0070.680] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.682] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.682] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43bdc500, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0070.682] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.683] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.683] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIOR", cAlternateFileName="")) returned 1 [0070.683] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.683] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.683] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a6d3200, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0070.683] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.683] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4014778 | out: hHeap=0x240000) returned 1 [0070.683] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 1 [0070.684] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2520 [0071.018] FindNextFileW (in: hFindFile=0x3fe2520, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.019] FindNextFileW (in: hFindFile=0x3fe2520, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe076d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0088.241] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0088.241] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff9cb700, ftCreationTime.dwHighDateTime=0x1c6a86d, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xff9cb700, ftLastWriteTime.dwHighDateTime=0x1c6a86d, nFileSizeHigh=0x0, nFileSizeLow=0x8b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTHOR.XSL", cAlternateFileName="")) returned 1 [0089.063] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0089.063] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0089.063] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51422110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0089.063] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0089.064] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0089.064] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0089.064] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.676] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.676] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e533000, ftCreationTime.dwHighDateTime=0x1bc8d39, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8e533000, ftLastWriteTime.dwHighDateTime=0x1bc8d39, nFileSizeHigh=0x0, nFileSizeLow=0x7df6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSART1.BDR", cAlternateFileName="")) returned 1 [0089.677] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.678] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0089.678] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee75d00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd248dbc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1ee75d00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x2d998, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRTVIEW.DLL", cAlternateFileName="")) returned 1 [0089.679] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.910] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.910] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe7ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0089.911] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\1033\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe7ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0089.950] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe7ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.950] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42794100, ftCreationTime.dwHighDateTime=0x1cab7ca, ftLastAccessTime.dwLowDateTime=0xccc730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x42794100, ftLastWriteTime.dwHighDateTime=0x1cab7ca, nFileSizeHigh=0x0, nFileSizeLow=0x3388, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACT3R.SAM", cAlternateFileName="")) returned 1 [0089.951] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0089.952] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0089.952] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42794100, ftCreationTime.dwHighDateTime=0x1cab7ca, ftLastAccessTime.dwLowDateTime=0x51174850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x42794100, ftLastWriteTime.dwHighDateTime=0x1cab7ca, nFileSizeHigh=0x0, nFileSizeLow=0x16178, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACT3.SAM", cAlternateFileName="")) returned 1 [0089.954] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.954] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0089.954] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18a49800, ftCreationTime.dwHighDateTime=0x1cbae39, ftLastAccessTime.dwLowDateTime=0xa2045a20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x18a49800, ftLastWriteTime.dwHighDateTime=0x1cbae39, nFileSizeHigh=0x0, nFileSizeLow=0x911b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CSS7DATA0009.DLL", cAlternateFileName="CSS7DA~3.DLL")) returned 1 [0089.955] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.956] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.956] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0089.956] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0089.957] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.957] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0089.957] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Document Parts\\1033\\14\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0089.957] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.957] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3845b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3fe4ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0089.958] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0089.958] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4024780 | out: hHeap=0x240000) returned 1 [0089.958] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 0 [0089.958] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0089.958] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0089.958] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3382f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e3382f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e3382f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0089.958] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.958] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0089.958] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ff0d00, ftCreationTime.dwHighDateTime=0x1cb71c7, ftLastAccessTime.dwLowDateTime=0xcfd6d220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6ff0d00, ftLastWriteTime.dwHighDateTime=0x1cb71c7, nFileSizeHigh=0x0, nFileSizeLow=0x1acf78, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0089.960] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xccc730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.961] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xccc730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.961] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0089.961] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0089.972] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.975] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75974300, ftCreationTime.dwHighDateTime=0x1c50f43, ftLastAccessTime.dwLowDateTime=0xccc730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x75974300, ftLastWriteTime.dwHighDateTime=0x1c50f43, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACTIVITL.ICO", cAlternateFileName="")) returned 1 [0089.984] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0089.985] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0089.985] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccc730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0089.985] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.985] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0089.985] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc59cb00, ftCreationTime.dwHighDateTime=0x1c3e388, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcc59cb00, ftLastWriteTime.dwHighDateTime=0x1c3e388, nFileSizeHigh=0x0, nFileSizeLow=0x88933, dwReserved0=0x0, dwReserved1=0x0, cFileName="FRENCH.LNG", cAlternateFileName="")) returned 1 [0089.986] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x582abeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x582abeb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.990] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x582abeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x582abeb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.990] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0089.991] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0089.993] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.993] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 1 [0089.993] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0089.994] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.994] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0089.994] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2660 [0089.995] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.995] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedComponents.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0089.995] FindClose (in: hFindFile=0x3fe2660 | out: hFindFile=0x3fe2660) returned 1 [0089.996] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0089.996] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0089.996] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2660 [0089.997] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.997] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedManagedObjects.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0089.997] FindClose (in: hFindFile=0x3fe2660 | out: hFindFile=0x3fe2660) returned 1 [0089.998] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0089.998] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Servers", cAlternateFileName="")) returned 1 [0089.998] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2660 [0089.998] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.998] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x582abeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x3b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Management.cer", cAlternateFileName="MANAGE~1.CER")) returned 1 [0089.998] FindClose (in: hFindFile=0x3fe2660 | out: hFindFile=0x3fe2660) returned 1 [0089.998] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0089.998] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Servers", cAlternateFileName="")) returned 0 [0089.998] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0089.998] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4024780 | out: hHeap=0x240000) returned 1 [0089.998] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0089.999] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0090.000] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.000] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0090.000] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2660 [0090.002] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.003] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cAlternateFileName="VERISI~1.CER")) returned 1 [0092.804] FindClose (in: hFindFile=0x3fe27a0 | out: hFindFile=0x3fe27a0) returned 1 [0092.812] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0092.818] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveProjectToolset", cAlternateFileName="GRA998~1")) returned 1 [0092.818] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2620 [0092.818] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.818] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3559c00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb3559c00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x140b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BriefcaseIcon.jpg", cAlternateFileName="BRIEFC~1.JPG")) returned 1 [0092.819] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\*", lpFindFileData=0x2e9e920 | out: lpFindFileData=0x2e9e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x538bb350, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe27a0 [0092.819] FindNextFileW (in: hFindFile=0x3fe27a0, lpFindFileData=0x2e9e920 | out: lpFindFileData=0x2e9e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x538bb350, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.819] FindNextFileW (in: hFindFile=0x3fe27a0, lpFindFileData=0x2e9e920 | out: lpFindFileData=0x2e9e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 1 [0092.820] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\*", lpFindFileData=0x2e9e6a4 | out: lpFindFileData=0x2e9e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe26a0 [0092.820] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x2e9e6a4 | out: lpFindFileData=0x2e9e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.820] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x2e9e6a4 | out: lpFindFileData=0x2e9e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Basic", cAlternateFileName="")) returned 1 [0092.820] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\*", lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2720 [0092.821] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.821] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0xced, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEFAULT.XSL", cAlternateFileName="")) returned 1 [0092.821] FindClose (in: hFindFile=0x3fe2720 | out: hFindFile=0x3fe2720) returned 1 [0092.821] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x41097d8 | out: hHeap=0x240000) returned 1 [0092.821] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x2e9e6a4 | out: lpFindFileData=0x2e9e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 1 [0092.821] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\*", lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2720 [0092.822] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.822] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x2e9e428 | out: lpFindFileData=0x2e9e428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x16c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hierarchy.js", cAlternateFileName="HIERAR~1.JS")) returned 1 [0092.823] FindClose (in: hFindFile=0x3fe2720 | out: hFindFile=0x3fe2720) returned 1 [0092.824] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x41097d8 | out: hHeap=0x240000) returned 1 [0092.824] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x2e9e6a4 | out: lpFindFileData=0x2e9e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 0 [0092.824] FindClose (in: hFindFile=0x3fe26a0 | out: hFindFile=0x3fe26a0) returned 1 [0092.824] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40f97d0 | out: hHeap=0x240000) returned 1 [0092.824] FindNextFileW (in: hFindFile=0x3fe27a0, lpFindFileData=0x2e9e920 | out: lpFindFileData=0x2e9e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 0 [0092.824] FindClose (in: hFindFile=0x3fe27a0 | out: hFindFile=0x3fe27a0) returned 1 [0092.824] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3ff4768 | out: hHeap=0x240000) returned 1 [0092.824] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5b7f600, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5b7f600, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x4f0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectToolsetIconImages.jpg", cAlternateFileName="PROJEC~3.JPG")) returned 1 [0092.824] FindClose (in: hFindFile=0x3fe2620 | out: hFindFile=0x3fe2620) returned 1 [0092.825] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0092.825] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 1 [0092.825] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\*", lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2620 [0092.825] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.825] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x2e9eb9c | out: lpFindFileData=0x2e9eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbadd700, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbbadd700, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x10f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconImages.jpg", cAlternateFileName="ICONIM~1.JPG")) returned 1 [0092.825] FindClose (in: hFindFile=0x3fe2620 | out: hFindFile=0x3fe2620) returned 1 [0092.825] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4034788 | out: hHeap=0x240000) returned 1 [0092.825] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 0 [0092.825] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0092.825] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4024780 | out: hHeap=0x240000) returned 1 [0092.826] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51174850, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0092.826] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0092.826] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0092.829] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0092.829] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0092.833] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.834] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcdf0400, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbcdf0400, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALERT.ICO", cAlternateFileName="")) returned 1 [0092.836] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0092.836] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0092.836] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XML Files", cAlternateFileName="XMLFIL~1")) returned 1 [0092.836] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0092.840] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.840] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd279da00, ftCreationTime.dwHighDateTime=0x1c8a0cd, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd279da00, ftLastWriteTime.dwHighDateTime=0x1c8a0cd, nFileSizeHigh=0x0, nFileSizeLow=0x487, dwReserved0=0x0, dwReserved1=0x0, cFileName="builtincontrolsschema.xsd", cAlternateFileName="BUILTI~1.XSD")) returned 1 [0092.841] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Space Templates\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0092.842] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.842] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0092.842] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0092.842] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3ff4768 | out: hHeap=0x240000) returned 1 [0092.842] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a42b900, ftCreationTime.dwHighDateTime=0x1c9d747, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a42b900, ftLastWriteTime.dwHighDateTime=0x1c9d747, nFileSizeHigh=0x0, nFileSizeLow=0x17e2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="StarterApplicationDescriptors.xml", cAlternateFileName="STARTE~1.XML")) returned 1 [0092.843] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0092.843] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0092.843] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XML Files", cAlternateFileName="XMLFIL~1")) returned 0 [0092.843] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0092.843] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0092.843] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fd7600, ftCreationTime.dwHighDateTime=0x1cacbb3, ftLastAccessTime.dwLowDateTime=0x52fce0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6fd7600, ftLastWriteTime.dwHighDateTime=0x1cacbb3, nFileSizeHigh=0x0, nFileSizeLow=0x3112b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0092.844] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0092.847] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.847] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMFormServices", cAlternateFileName="INFOPA~2")) returned 1 [0092.848] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0092.850] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.850] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMFormServicesV12", cAlternateFileName="INFOPA~1")) returned 1 [0092.851] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\*", lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0092.852] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.852] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9ee18 | out: lpFindFileData=0x2e9ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ae85c00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x553a8c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ae85c00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xa770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0092.852] FindClose (in: hFindFile=0x3fe24a0 | out: hFindFile=0x3fe24a0) returned 1 [0092.852] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3ff4768 | out: hHeap=0x240000) returned 1 [0092.852] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ae85c00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ae85c00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xb770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0092.853] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0092.853] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0092.853] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMV12", cAlternateFileName="INFOPA~1")) returned 1 [0092.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0092.853] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.853] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c198900, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x544ee410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c198900, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xd770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0092.853] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0092.854] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0092.854] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c198900, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c198900, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xe770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0092.854] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0092.854] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fd12f8 | out: hHeap=0x240000) returned 1 [0092.854] FindNextFileW (in: hFindFile=0x3fe2460, lpFindFileData=0x2e9f58c | out: lpFindFileData=0x2e9f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x61d191f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x7bb78, dwReserved0=0x0, dwReserved1=0x0, cFileName="INLAUNCH.DLL", cAlternateFileName="")) returned 1 [0092.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\*", lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0092.856] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.856] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Analysis", cAlternateFileName="")) returned 1 [0092.856] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\*", lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe24a0 [0093.115] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0093.115] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x2e9f094 | out: lpFindFileData=0x2e9f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1ecf00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a1ecf00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x3bb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="ANALYS32.XLL", cAlternateFileName="")) returned 1 [0093.181] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0093.181] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x2e9f310 | out: lpFindFileData=0x2e9f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb796bf00, ftCreationTime.dwHighDateTime=0x1bd8ab7, ftLastAccessTime.dwLowDateTime=0x5ebdaad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb796bf00, ftLastWriteTime.dwHighDateTime=0x1bd8ab7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="APPLAUSE.WAV", cAlternateFileName="")) returned 1 Thread: id = 14 os_tid = 0x5c4 [0066.939] GetTickCount () returned 0x1148881 [0066.939] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x24) returned 0x2e07b8 [0066.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2e07b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x168 [0066.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2e07b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x16c [0066.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2e07b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x170 [0066.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x2e07b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x174 [0066.955] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298ca0 [0066.955] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298ca0, Size=0x20) returned 0x2df330 [0066.955] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298ca0 [0066.955] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298ca0, Size=0x20) returned 0x2df380 [0066.956] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.956] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0066.956] Wow64DisableWow64FsRedirection (in: OldValue=0x285ff84 | out: OldValue=0x285ff84*=0x0) returned 1 [0066.956] lstrlenW (lpString="kernel32.dll") returned 12 [0066.956] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df330 | out: hHeap=0x240000) returned 1 [0066.956] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0066.956] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df380 | out: hHeap=0x240000) returned 1 [0066.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x2cf1b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x178 [0066.957] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0067.355] GetTickCount () returned 0x114892d [0067.355] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0067.523] GetTickCount () returned 0x11489c9 [0067.523] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0067.880] GetTickCount () returned 0x1148b01 [0067.880] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0069.292] GetTickCount () returned 0x1148cc5 [0069.292] GetTickCount () returned 0x1148cc5 [0069.292] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0069.609] GetTickCount () returned 0x1148dfd [0069.609] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0069.789] GetTickCount () returned 0x1148eb9 [0069.789] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0069.895] GetTickCount () returned 0x1148f26 [0069.895] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.006] GetTickCount () returned 0x1148f93 [0070.006] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.129] GetTickCount () returned 0x1149010 [0070.129] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.299] GetTickCount () returned 0x11490ac [0070.299] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.450] GetTickCount () returned 0x1149148 [0070.450] GetTickCount () returned 0x1149148 [0070.450] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.563] GetTickCount () returned 0x11491b5 [0070.563] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0070.660] GetTickCount () returned 0x1149222 [0070.660] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0071.040] GetTickCount () returned 0x1149399 [0071.040] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0071.440] GetTickCount () returned 0x114952e [0071.440] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0071.787] GetTickCount () returned 0x1149686 [0071.787] GetTickCount () returned 0x1149686 [0071.787] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0072.064] GetTickCount () returned 0x114979e [0072.064] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0072.286] GetTickCount () returned 0x1149879 [0072.286] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0072.553] GetTickCount () returned 0x1149944 [0072.553] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0073.015] GetTickCount () returned 0x1149b18 [0073.015] GetTickCount () returned 0x1149b18 [0073.015] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0073.282] GetTickCount () returned 0x1149c21 [0073.282] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0073.843] GetTickCount () returned 0x1149e14 [0073.843] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0074.411] GetTickCount () returned 0x1149ff8 [0074.411] GetTickCount () returned 0x1149ff8 [0074.411] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0074.654] GetTickCount () returned 0x114a0d2 [0074.654] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0074.772] GetTickCount () returned 0x114a13f [0074.772] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0075.580] GetTickCount () returned 0x114a2a6 [0075.580] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0075.933] GetTickCount () returned 0x114a40d [0075.933] GetTickCount () returned 0x114a40d [0075.934] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0076.122] GetTickCount () returned 0x114a4c8 [0076.122] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0077.730] GetTickCount () returned 0x114a5d1 [0077.731] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0078.211] GetTickCount () returned 0x114a776 [0078.211] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0078.583] GetTickCount () returned 0x114a8ce [0078.583] GetTickCount () returned 0x114a8ce [0078.584] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0079.084] GetTickCount () returned 0x114aad0 [0079.084] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0079.480] GetTickCount () returned 0x114ac18 [0079.480] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0079.989] GetTickCount () returned 0x114ae1b [0079.989] GetTickCount () returned 0x114ae1b [0079.989] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0080.471] GetTickCount () returned 0x114afef [0080.471] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0080.834] GetTickCount () returned 0x114b165 [0080.834] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0081.154] GetTickCount () returned 0x114b25f [0081.154] GetTickCount () returned 0x114b25f [0081.154] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0081.604] GetTickCount () returned 0x114b414 [0081.605] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0081.831] GetTickCount () returned 0x114b4fe [0081.831] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0081.993] GetTickCount () returned 0x114b56b [0081.993] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0082.153] GetTickCount () returned 0x114b5d8 [0082.153] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0082.264] GetTickCount () returned 0x114b645 [0082.264] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0082.360] GetTickCount () returned 0x114b6b2 [0082.360] GetTickCount () returned 0x114b6b2 [0082.360] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0082.596] GetTickCount () returned 0x114b79c [0082.596] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0082.794] GetTickCount () returned 0x114b858 [0082.794] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0083.484] GetTickCount () returned 0x114bb16 [0083.484] GetTickCount () returned 0x114bb16 [0083.484] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0083.878] GetTickCount () returned 0x114bc9c [0083.878] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0084.210] GetTickCount () returned 0x114bde3 [0084.210] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0085.239] GetTickCount () returned 0x114c1e9 [0085.240] GetTickCount () returned 0x114c1e9 [0085.240] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0085.480] GetTickCount () returned 0x114c2e2 [0085.480] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0085.761] GetTickCount () returned 0x114c3fb [0085.761] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0086.030] GetTickCount () returned 0x114c504 [0086.030] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0086.417] GetTickCount () returned 0x114c68a [0086.417] GetTickCount () returned 0x114c68a [0086.418] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0086.921] GetTickCount () returned 0x114c87e [0086.921] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0087.215] GetTickCount () returned 0x114c9a6 [0087.215] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0087.578] GetTickCount () returned 0x114cb0d [0087.578] GetTickCount () returned 0x114cb0d [0087.578] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.063] GetTickCount () returned 0x114ccf0 [0088.063] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.213] GetTickCount () returned 0x114cd8c [0088.213] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.319] GetTickCount () returned 0x114cdfa [0088.319] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.428] GetTickCount () returned 0x114ce67 [0088.428] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.537] GetTickCount () returned 0x114ced4 [0088.537] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.647] GetTickCount () returned 0x114cf41 [0088.647] GetTickCount () returned 0x114cf41 [0088.647] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.772] GetTickCount () returned 0x114cfbe [0088.772] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0088.881] GetTickCount () returned 0x114d02b [0088.881] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0089.071] GetTickCount () returned 0x114d0e6 [0089.071] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0089.606] GetTickCount () returned 0x114d2f9 [0089.606] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0090.136] GetTickCount () returned 0x114d50b [0090.136] GetTickCount () returned 0x114d50b [0090.136] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0090.455] GetTickCount () returned 0x114d643 [0090.455] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0092.185] GetTickCount () returned 0x114dd16 [0092.188] GetTickCount () returned 0x114dd16 [0092.191] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0092.749] GetTickCount () returned 0x114df38 [0092.749] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) returned 0x102 [0093.114] GetTickCount () returned 0x114e0af [0093.114] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0x64) Thread: id = 15 os_tid = 0x648 [0067.389] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x32229d8 [0067.390] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x32329e0 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d30 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1020 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d48 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x3b60020 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d60 [0067.391] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298d60, Size=0x20) returned 0x2df678 [0067.391] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d60 [0067.391] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298d60, Size=0x20) returned 0x2df6a0 [0067.391] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0067.391] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0067.391] Wow64DisableWow64FsRedirection (in: OldValue=0x351ff58 | out: OldValue=0x351ff58*=0x0) returned 1 [0067.391] lstrlenW (lpString="kernel32.dll") returned 12 [0067.392] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df678 | out: hHeap=0x240000) returned 1 [0067.392] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0067.392] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df6a0 | out: hHeap=0x240000) returned 1 [0067.392] Sleep (dwMilliseconds=0x64) [0067.524] lstrlenW (lpString="BCD") returned 3 [0067.524] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.524] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.524] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.524] lstrlenW (lpString=".doc") returned 4 [0067.524] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0067.524] lstrlenW (lpString=".docx") returned 5 [0067.524] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0067.524] lstrlenW (lpString=".pdf") returned 4 [0067.524] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0067.524] lstrlenW (lpString=".xls") returned 4 [0067.524] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0067.524] lstrlenW (lpString=".xlsx") returned 5 [0067.524] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0067.525] lstrlenW (lpString=".ppt") returned 4 [0067.525] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0067.525] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.525] lstrlenW (lpString=".zip") returned 4 [0067.525] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0067.525] lstrlenW (lpString=".rar") returned 4 [0067.525] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0067.525] lstrlenW (lpString=".bz2") returned 4 [0067.525] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0067.525] lstrlenW (lpString=".7z") returned 3 [0067.525] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0067.525] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.525] lstrlenW (lpString=".dbf") returned 4 [0067.525] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0067.525] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.525] lstrlenW (lpString=".1cd") returned 4 [0067.525] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.526] lstrlenW (lpString=".jpg") returned 4 [0067.526] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.526] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.526] lstrlenW (lpString=".doc") returned 4 [0067.526] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString=".docx") returned 5 [0067.526] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0067.526] lstrlenW (lpString=".pdf") returned 4 [0067.526] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString=".xls") returned 4 [0067.526] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString=".xlsx") returned 5 [0067.526] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0067.526] lstrlenW (lpString=".ppt") returned 4 [0067.526] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.526] lstrlenW (lpString=".zip") returned 4 [0067.526] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString=".rar") returned 4 [0067.526] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0067.526] lstrlenW (lpString=".bz2") returned 4 [0067.526] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0067.527] lstrlenW (lpString=".7z") returned 3 [0067.527] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0067.527] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.527] lstrlenW (lpString=".dbf") returned 4 [0067.527] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0067.527] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.527] lstrlenW (lpString=".1cd") returned 4 [0067.527] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0067.527] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0067.527] lstrlenW (lpString=".jpg") returned 4 [0067.527] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0067.527] lstrcmpiW (lpString1=".LOG1", lpString2=".mnbzr") returned -1 [0067.527] lstrlenW (lpString="BCD.LOG1") returned 8 [0067.527] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0067.882] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=0) returned 1 [0067.882] CloseHandle (hObject=0x1d8) returned 1 [0067.882] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.882] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.882] lstrlenW (lpString=".doc") returned 4 [0067.899] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0067.899] lstrlenW (lpString=".docx") returned 5 [0067.900] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0067.910] lstrlenW (lpString=".pdf") returned 4 [0067.910] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0067.910] lstrlenW (lpString=".xls") returned 4 [0067.911] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0067.911] lstrlenW (lpString=".xlsx") returned 5 [0067.911] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0067.911] lstrlenW (lpString=".ppt") returned 4 [0067.911] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0067.911] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.911] lstrlenW (lpString=".zip") returned 4 [0067.911] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0067.911] lstrlenW (lpString=".rar") returned 4 [0067.915] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString=".bz2") returned 4 [0067.915] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString=".7z") returned 3 [0067.915] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0067.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.915] lstrlenW (lpString=".dbf") returned 4 [0067.915] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.915] lstrlenW (lpString=".1cd") returned 4 [0067.915] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.915] lstrlenW (lpString=".jpg") returned 4 [0067.915] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.915] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.915] lstrlenW (lpString=".doc") returned 4 [0067.915] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString=".docx") returned 5 [0067.915] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0067.915] lstrlenW (lpString=".pdf") returned 4 [0067.915] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString=".xls") returned 4 [0067.915] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0067.915] lstrlenW (lpString=".xlsx") returned 5 [0067.916] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0067.916] lstrlenW (lpString=".ppt") returned 4 [0067.916] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.916] lstrlenW (lpString=".zip") returned 4 [0067.916] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString=".rar") returned 4 [0067.916] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString=".bz2") returned 4 [0067.916] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString=".7z") returned 3 [0067.916] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0067.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.916] lstrlenW (lpString=".dbf") returned 4 [0067.916] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.916] lstrlenW (lpString=".1cd") returned 4 [0067.916] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0067.916] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0067.916] lstrlenW (lpString=".jpg") returned 4 [0067.916] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0067.916] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0067.916] lstrlenW (lpString="PowerPointMUI.msi") returned 17 [0067.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0067.917] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=2503680) returned 1 [0067.917] CloseHandle (hObject=0x1d8) returned 1 [0067.917] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi")) returned 0x2020 [0067.917] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.917] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0067.918] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0067.918] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.918] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.918] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.033] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.033] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.123] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0068.123] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.123] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.177] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0068.177] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0069.358] SetEndOfFile (hFile=0x1d8) returned 1 [0069.359] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40897c0 [0069.540] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.540] WriteFile (in: hFile=0x1d8, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.541] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.542] WriteFile (in: hFile=0x1d8, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.551] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.551] WriteFile (in: hFile=0x1d8, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.555] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40897c0 | out: hHeap=0x240000) returned 1 [0069.555] CloseHandle (hObject=0x1d8) returned 1 [0070.563] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.563] lstrlenW (lpString=".doc") returned 4 [0070.564] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString=".docx") returned 5 [0070.564] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0070.564] lstrlenW (lpString=".pdf") returned 4 [0070.564] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.564] lstrlenW (lpString=".xls") returned 4 [0070.564] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.564] lstrlenW (lpString=".xlsx") returned 5 [0070.564] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0070.564] lstrlenW (lpString=".ppt") returned 4 [0070.564] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString=".zip") returned 4 [0070.564] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.564] lstrlenW (lpString=".rar") returned 4 [0070.564] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.564] lstrlenW (lpString=".bz2") returned 4 [0070.564] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString=".7z") returned 3 [0070.564] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString=".dbf") returned 4 [0070.564] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString=".1cd") returned 4 [0070.564] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString=".jpg") returned 4 [0070.564] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.564] lstrlenW (lpString=".doc") returned 4 [0070.564] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.564] lstrlenW (lpString=".docx") returned 5 [0070.565] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0070.565] lstrlenW (lpString=".pdf") returned 4 [0070.565] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.565] lstrlenW (lpString=".xls") returned 4 [0070.565] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.565] lstrlenW (lpString=".xlsx") returned 5 [0070.565] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0070.565] lstrlenW (lpString=".ppt") returned 4 [0070.565] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.565] lstrlenW (lpString=".zip") returned 4 [0070.565] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.565] lstrlenW (lpString=".rar") returned 4 [0070.565] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.565] lstrlenW (lpString=".bz2") returned 4 [0070.565] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.565] lstrlenW (lpString=".7z") returned 3 [0070.565] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.565] lstrlenW (lpString=".dbf") returned 4 [0070.565] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.565] lstrlenW (lpString=".1cd") returned 4 [0070.565] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0070.565] lstrlenW (lpString=".jpg") returned 4 [0070.565] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.565] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0070.565] lstrlenW (lpString="PubLR.cab") returned 9 [0070.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0070.566] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=9958388) returned 1 [0070.566] CloseHandle (hObject=0x1d8) returned 1 [0070.566] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0070.566] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.566] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0070.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0070.567] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0070.567] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.567] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.833] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.833] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.965] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0070.965] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.966] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0071.004] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.004] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0071.215] SetEndOfFile (hFile=0x1d8) returned 1 [0071.216] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40e97c8 [0071.301] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.301] WriteFile (in: hFile=0x1d8, lpBuffer=0x40e97c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40e97c8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.303] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.303] WriteFile (in: hFile=0x1d8, lpBuffer=0x40e97c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40e97c8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.311] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.312] WriteFile (in: hFile=0x1d8, lpBuffer=0x40e97c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40e97c8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.320] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40e97c8 | out: hHeap=0x240000) returned 1 [0071.320] CloseHandle (hObject=0x1d8) returned 1 [0074.405] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0074.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.405] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.405] lstrlenW (lpString=".doc") returned 4 [0074.405] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.405] lstrlenW (lpString=".docx") returned 5 [0074.405] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.405] lstrlenW (lpString=".pdf") returned 4 [0074.405] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.405] lstrlenW (lpString=".xls") returned 4 [0074.405] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.405] lstrlenW (lpString=".xlsx") returned 5 [0074.405] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.405] lstrlenW (lpString=".ppt") returned 4 [0074.406] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString=".zip") returned 4 [0074.406] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString=".rar") returned 4 [0074.406] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString=".bz2") returned 4 [0074.406] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.406] lstrlenW (lpString=".7z") returned 3 [0074.406] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString=".dbf") returned 4 [0074.406] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString=".1cd") returned 4 [0074.406] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString=".jpg") returned 4 [0074.406] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.406] lstrlenW (lpString=".doc") returned 4 [0074.406] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString=".docx") returned 5 [0074.406] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.406] lstrlenW (lpString=".pdf") returned 4 [0074.406] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString=".xls") returned 4 [0074.406] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString=".xlsx") returned 5 [0074.406] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.406] lstrlenW (lpString=".ppt") returned 4 [0074.406] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.407] lstrlenW (lpString=".zip") returned 4 [0074.407] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.407] lstrlenW (lpString=".rar") returned 4 [0074.407] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.407] lstrlenW (lpString=".bz2") returned 4 [0074.407] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.407] lstrlenW (lpString=".7z") returned 3 [0074.407] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.407] lstrlenW (lpString=".dbf") returned 4 [0074.407] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.407] lstrlenW (lpString=".1cd") returned 4 [0074.407] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0074.407] lstrlenW (lpString=".jpg") returned 4 [0074.407] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.407] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0074.407] lstrlenW (lpString="WordLR.cab") returned 10 [0074.407] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0074.408] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=43806141) returned 1 [0074.408] CloseHandle (hObject=0x1d8) returned 1 [0074.408] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0074.408] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.408] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0074.408] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0074.408] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0074.409] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.409] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.450] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.450] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.465] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0074.465] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.465] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.503] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0074.504] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0074.521] SetEndOfFile (hFile=0x1d8) returned 1 [0074.521] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0074.522] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0074.522] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.523] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0074.523] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.525] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0074.525] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.527] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0074.528] CloseHandle (hObject=0x1d8) returned 1 [0078.252] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0078.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.253] lstrlenW (lpString=".doc") returned 4 [0078.253] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString=".docx") returned 5 [0078.253] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0078.253] lstrlenW (lpString=".pdf") returned 4 [0078.253] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString=".xls") returned 4 [0078.253] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString=".xlsx") returned 5 [0078.253] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0078.253] lstrlenW (lpString=".ppt") returned 4 [0078.253] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.253] lstrlenW (lpString=".zip") returned 4 [0078.253] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString=".rar") returned 4 [0078.253] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString=".bz2") returned 4 [0078.253] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0078.253] lstrlenW (lpString=".7z") returned 3 [0078.253] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0078.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.253] lstrlenW (lpString=".dbf") returned 4 [0078.253] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0078.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.253] lstrlenW (lpString=".1cd") returned 4 [0078.254] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0078.254] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.254] lstrlenW (lpString=".jpg") returned 4 [0078.254] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.254] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.254] lstrlenW (lpString=".doc") returned 4 [0078.254] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString=".docx") returned 5 [0078.254] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0078.254] lstrlenW (lpString=".pdf") returned 4 [0078.254] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString=".xls") returned 4 [0078.254] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString=".xlsx") returned 5 [0078.254] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0078.254] lstrlenW (lpString=".ppt") returned 4 [0078.254] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.254] lstrlenW (lpString=".zip") returned 4 [0078.254] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString=".rar") returned 4 [0078.254] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0078.254] lstrlenW (lpString=".bz2") returned 4 [0078.254] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0078.254] lstrlenW (lpString=".7z") returned 3 [0078.254] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0078.254] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.255] lstrlenW (lpString=".dbf") returned 4 [0078.255] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0078.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.255] lstrlenW (lpString=".1cd") returned 4 [0078.255] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0078.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0078.255] lstrlenW (lpString=".jpg") returned 4 [0078.255] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0078.255] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0078.255] lstrlenW (lpString="Proof.cab") returned 9 [0078.255] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0078.255] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=21064532) returned 1 [0078.255] CloseHandle (hObject=0x1d8) returned 1 [0078.256] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0078.256] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.256] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0078.576] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0078.576] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0078.576] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0078.576] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0078.613] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0078.613] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0078.635] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0078.635] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0078.635] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0078.658] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.658] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0079.018] SetEndOfFile (hFile=0x1d8) returned 1 [0079.018] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0079.063] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0079.063] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0079.065] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0079.065] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0079.066] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0079.066] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0079.068] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0079.068] CloseHandle (hObject=0x1d8) returned 1 [0081.985] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0081.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.986] lstrlenW (lpString=".doc") returned 4 [0081.986] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString=".docx") returned 5 [0081.986] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0081.986] lstrlenW (lpString=".pdf") returned 4 [0081.986] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString=".xls") returned 4 [0081.986] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString=".xlsx") returned 5 [0081.986] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0081.986] lstrlenW (lpString=".ppt") returned 4 [0081.986] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.986] lstrlenW (lpString=".zip") returned 4 [0081.986] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString=".rar") returned 4 [0081.986] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.986] lstrlenW (lpString=".bz2") returned 4 [0081.986] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.986] lstrlenW (lpString=".7z") returned 3 [0081.987] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString=".dbf") returned 4 [0081.987] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString=".1cd") returned 4 [0081.987] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString=".jpg") returned 4 [0081.987] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString=".doc") returned 4 [0081.987] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString=".docx") returned 5 [0081.987] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0081.987] lstrlenW (lpString=".pdf") returned 4 [0081.987] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString=".xls") returned 4 [0081.987] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString=".xlsx") returned 5 [0081.987] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0081.987] lstrlenW (lpString=".ppt") returned 4 [0081.987] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.987] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.987] lstrlenW (lpString=".zip") returned 4 [0081.987] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.988] lstrlenW (lpString=".rar") returned 4 [0081.988] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.988] lstrlenW (lpString=".bz2") returned 4 [0081.988] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.988] lstrlenW (lpString=".7z") returned 3 [0081.988] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.988] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.988] lstrlenW (lpString=".dbf") returned 4 [0081.988] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.988] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.988] lstrlenW (lpString=".1cd") returned 4 [0081.988] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.988] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0081.988] lstrlenW (lpString=".jpg") returned 4 [0081.988] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.988] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0081.988] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0081.988] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0081.989] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=2503680) returned 1 [0081.989] CloseHandle (hObject=0x1d8) returned 1 [0081.989] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0081.989] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.989] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0081.990] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0081.990] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0081.990] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0081.990] ReadFile (in: hFile=0x1d8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.658] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.659] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.828] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0082.828] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.828] ReadFile (in: hFile=0x1d8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.850] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.850] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0083.468] SetEndOfFile (hFile=0x1d8) returned 1 [0083.468] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0083.468] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.468] WriteFile (in: hFile=0x1d8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.470] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.470] WriteFile (in: hFile=0x1d8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.477] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.477] WriteFile (in: hFile=0x1d8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.480] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0083.480] CloseHandle (hObject=0x1d8) returned 1 [0083.480] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0083.480] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.480] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.480] lstrlenW (lpString=".doc") returned 4 [0083.481] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.481] lstrlenW (lpString=".docx") returned 5 [0083.481] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.481] lstrlenW (lpString=".pdf") returned 4 [0083.481] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.481] lstrlenW (lpString=".xls") returned 4 [0083.481] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.481] lstrlenW (lpString=".xlsx") returned 5 [0083.481] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.481] lstrlenW (lpString=".ppt") returned 4 [0083.481] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString=".zip") returned 4 [0083.481] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.481] lstrlenW (lpString=".rar") returned 4 [0083.481] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.481] lstrlenW (lpString=".bz2") returned 4 [0083.481] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.481] lstrlenW (lpString=".7z") returned 3 [0083.481] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString=".dbf") returned 4 [0083.481] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString=".1cd") returned 4 [0083.481] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString=".jpg") returned 4 [0083.481] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.481] lstrlenW (lpString=".doc") returned 4 [0083.481] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.482] lstrlenW (lpString=".docx") returned 5 [0083.482] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.482] lstrlenW (lpString=".pdf") returned 4 [0083.482] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.482] lstrlenW (lpString=".xls") returned 4 [0083.482] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.482] lstrlenW (lpString=".xlsx") returned 5 [0083.482] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.482] lstrlenW (lpString=".ppt") returned 4 [0083.482] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.482] lstrlenW (lpString=".zip") returned 4 [0083.482] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.482] lstrlenW (lpString=".rar") returned 4 [0083.482] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.482] lstrlenW (lpString=".bz2") returned 4 [0083.482] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.482] lstrlenW (lpString=".7z") returned 3 [0083.482] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.482] lstrlenW (lpString=".dbf") returned 4 [0083.482] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.482] lstrlenW (lpString=".1cd") returned 4 [0083.482] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.482] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0083.482] lstrlenW (lpString=".jpg") returned 4 [0083.482] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.875] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0083.875] lstrlenW (lpString="dwintl20.dll") returned 12 [0083.875] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0083.876] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=107912) returned 1 [0083.876] CloseHandle (hObject=0x204) returned 1 [0083.876] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0083.876] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.876] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0083.876] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.876] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.877] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0085.557] GetLastError () returned 0x0 [0085.557] ReadFile (in: hFile=0x204, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0085.697] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0085.701] ReadFile (in: hFile=0x204, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.701] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xec, lpOverlapped=0x0) returned 1 [0085.702] SetEndOfFile (hFile=0x1f4) returned 1 [0085.702] CloseHandle (hObject=0x1f4) returned 1 [0085.702] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.702] SetEndOfFile (hFile=0x204) returned 1 [0085.704] CloseHandle (hObject=0x204) returned 1 [0085.704] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0085.704] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0085.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.705] lstrlenW (lpString=".doc") returned 4 [0085.705] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString=".docx") returned 5 [0085.705] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0085.705] lstrlenW (lpString=".pdf") returned 4 [0085.705] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString=".xls") returned 4 [0085.705] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString=".xlsx") returned 5 [0085.705] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0085.705] lstrlenW (lpString=".ppt") returned 4 [0085.705] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.705] lstrlenW (lpString=".zip") returned 4 [0085.705] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString=".rar") returned 4 [0085.705] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0085.705] lstrlenW (lpString=".bz2") returned 4 [0085.705] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0085.705] lstrlenW (lpString=".7z") returned 3 [0085.706] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString=".dbf") returned 4 [0085.706] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString=".1cd") returned 4 [0085.706] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString=".jpg") returned 4 [0085.706] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString=".doc") returned 4 [0085.706] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0085.706] lstrlenW (lpString=".docx") returned 5 [0085.706] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0085.706] lstrlenW (lpString=".pdf") returned 4 [0085.706] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0085.706] lstrlenW (lpString=".xls") returned 4 [0085.706] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0085.706] lstrlenW (lpString=".xlsx") returned 5 [0085.706] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0085.706] lstrlenW (lpString=".ppt") returned 4 [0085.706] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0085.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.706] lstrlenW (lpString=".zip") returned 4 [0085.706] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0085.707] lstrlenW (lpString=".rar") returned 4 [0085.707] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0085.707] lstrlenW (lpString=".bz2") returned 4 [0085.707] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0085.707] lstrlenW (lpString=".7z") returned 3 [0085.707] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0085.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.707] lstrlenW (lpString=".dbf") returned 4 [0085.707] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0085.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.707] lstrlenW (lpString=".1cd") returned 4 [0085.707] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0085.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0085.707] lstrlenW (lpString=".jpg") returned 4 [0085.707] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0085.707] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0085.707] lstrlenW (lpString="msvcr90.dll") returned 11 [0085.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0086.081] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=655872) returned 1 [0086.082] CloseHandle (hObject=0x1b0) returned 1 [0086.082] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0086.094] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.094] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0086.098] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.098] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.099] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0086.099] GetLastError () returned 0x0 [0086.099] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0086.134] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0086.486] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.486] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.486] SetEndOfFile (hFile=0x1fc) returned 1 [0086.486] CloseHandle (hObject=0x1fc) returned 1 [0086.486] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.486] SetEndOfFile (hFile=0x1b0) returned 1 [0086.512] CloseHandle (hObject=0x1b0) returned 1 [0086.512] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.513] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0086.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.513] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.513] lstrlenW (lpString=".doc") returned 4 [0086.513] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0086.513] lstrlenW (lpString=".docx") returned 5 [0086.513] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0086.513] lstrlenW (lpString=".pdf") returned 4 [0086.513] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0086.513] lstrlenW (lpString=".xls") returned 4 [0086.513] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0086.513] lstrlenW (lpString=".xlsx") returned 5 [0086.513] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0086.513] lstrlenW (lpString=".ppt") returned 4 [0086.513] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString=".zip") returned 4 [0086.514] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0086.514] lstrlenW (lpString=".rar") returned 4 [0086.514] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0086.514] lstrlenW (lpString=".bz2") returned 4 [0086.514] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0086.514] lstrlenW (lpString=".7z") returned 3 [0086.514] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString=".dbf") returned 4 [0086.514] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString=".1cd") returned 4 [0086.514] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString=".jpg") returned 4 [0086.514] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.514] lstrlenW (lpString=".doc") returned 4 [0086.514] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0086.514] lstrlenW (lpString=".docx") returned 5 [0086.514] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0086.514] lstrlenW (lpString=".pdf") returned 4 [0086.515] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0086.515] lstrlenW (lpString=".xls") returned 4 [0086.515] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0086.515] lstrlenW (lpString=".xlsx") returned 5 [0086.515] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0086.515] lstrlenW (lpString=".ppt") returned 4 [0086.515] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0086.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.515] lstrlenW (lpString=".zip") returned 4 [0086.515] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0086.515] lstrlenW (lpString=".rar") returned 4 [0086.515] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0086.515] lstrlenW (lpString=".bz2") returned 4 [0086.515] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0086.515] lstrlenW (lpString=".7z") returned 3 [0086.515] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0086.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.515] lstrlenW (lpString=".dbf") returned 4 [0086.515] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0086.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.515] lstrlenW (lpString=".1cd") returned 4 [0086.515] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0086.515] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0086.515] lstrlenW (lpString=".jpg") returned 4 [0086.515] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0086.516] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0086.516] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0086.516] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0086.516] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=868864) returned 1 [0086.516] CloseHandle (hObject=0x1b0) returned 1 [0086.516] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0086.516] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.517] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0086.517] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.517] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.517] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0086.517] GetLastError () returned 0x0 [0086.517] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0086.928] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0086.947] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.948] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0086.948] SetEndOfFile (hFile=0x1fc) returned 1 [0086.948] CloseHandle (hObject=0x1fc) returned 1 [0086.948] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.948] SetEndOfFile (hFile=0x1b0) returned 1 [0086.958] CloseHandle (hObject=0x1b0) returned 1 [0086.958] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.958] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0086.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.959] lstrlenW (lpString=".doc") returned 4 [0086.959] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0086.959] lstrlenW (lpString=".docx") returned 5 [0086.959] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0086.959] lstrlenW (lpString=".pdf") returned 4 [0086.959] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0086.959] lstrlenW (lpString=".xls") returned 4 [0086.959] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0086.959] lstrlenW (lpString=".xlsx") returned 5 [0086.959] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0086.959] lstrlenW (lpString=".ppt") returned 4 [0086.959] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0086.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.959] lstrlenW (lpString=".zip") returned 4 [0086.959] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0086.959] lstrlenW (lpString=".rar") returned 4 [0086.959] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0086.959] lstrlenW (lpString=".bz2") returned 4 [0086.959] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0086.959] lstrlenW (lpString=".7z") returned 3 [0086.959] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0086.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.959] lstrlenW (lpString=".dbf") returned 4 [0086.959] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0086.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.959] lstrlenW (lpString=".1cd") returned 4 [0086.960] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0086.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.960] lstrlenW (lpString=".jpg") returned 4 [0086.960] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0086.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.960] lstrlenW (lpString=".doc") returned 4 [0086.960] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0086.960] lstrlenW (lpString=".docx") returned 5 [0086.960] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0086.960] lstrlenW (lpString=".pdf") returned 4 [0086.960] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0086.960] lstrlenW (lpString=".xls") returned 4 [0086.960] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0086.960] lstrlenW (lpString=".xlsx") returned 5 [0086.960] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0086.960] lstrlenW (lpString=".ppt") returned 4 [0086.960] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0086.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.960] lstrlenW (lpString=".zip") returned 4 [0086.960] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0086.960] lstrlenW (lpString=".rar") returned 4 [0086.960] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0086.960] lstrlenW (lpString=".bz2") returned 4 [0086.960] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0086.960] lstrlenW (lpString=".7z") returned 3 [0086.961] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0086.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.961] lstrlenW (lpString=".dbf") returned 4 [0086.961] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0086.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.961] lstrlenW (lpString=".1cd") returned 4 [0086.961] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0086.961] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0086.961] lstrlenW (lpString=".jpg") returned 4 [0086.961] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0086.961] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0086.961] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0086.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0087.658] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=868864) returned 1 [0087.658] CloseHandle (hObject=0x200) returned 1 [0087.658] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0087.659] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0087.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0087.665] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.666] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0087.666] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0088.144] GetLastError () returned 0x0 [0088.144] ReadFile (in: hFile=0x200, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0088.368] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0088.384] ReadFile (in: hFile=0x200, lpBuffer=0x3b60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x351fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesRead=0x351fed4*=0x0, lpOverlapped=0x0) returned 1 [0088.385] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x351fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0088.385] SetEndOfFile (hFile=0x1c8) returned 1 [0088.385] CloseHandle (hObject=0x1c8) returned 1 [0088.386] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0088.386] SetEndOfFile (hFile=0x200) returned 1 [0088.393] CloseHandle (hObject=0x200) returned 1 [0088.394] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0088.394] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0088.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.394] lstrlenW (lpString=".doc") returned 4 [0088.394] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0088.394] lstrlenW (lpString=".docx") returned 5 [0088.394] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0088.394] lstrlenW (lpString=".pdf") returned 4 [0088.394] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0088.394] lstrlenW (lpString=".xls") returned 4 [0088.394] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0088.394] lstrlenW (lpString=".xlsx") returned 5 [0088.394] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0088.394] lstrlenW (lpString=".ppt") returned 4 [0088.394] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0088.394] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".zip") returned 4 [0088.395] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString=".rar") returned 4 [0088.395] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString=".bz2") returned 4 [0088.395] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0088.395] lstrlenW (lpString=".7z") returned 3 [0088.395] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".dbf") returned 4 [0088.395] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".1cd") returned 4 [0088.395] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".jpg") returned 4 [0088.395] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".doc") returned 4 [0088.395] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0088.395] lstrlenW (lpString=".docx") returned 5 [0088.395] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0088.395] lstrlenW (lpString=".pdf") returned 4 [0088.395] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString=".xls") returned 4 [0088.395] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString=".xlsx") returned 5 [0088.395] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0088.395] lstrlenW (lpString=".ppt") returned 4 [0088.395] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.395] lstrlenW (lpString=".zip") returned 4 [0088.395] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0088.395] lstrlenW (lpString=".rar") returned 4 [0088.396] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0088.396] lstrlenW (lpString=".bz2") returned 4 [0088.396] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0088.396] lstrlenW (lpString=".7z") returned 3 [0088.396] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0088.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.396] lstrlenW (lpString=".dbf") returned 4 [0088.396] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0088.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.396] lstrlenW (lpString=".1cd") returned 4 [0088.396] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0088.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0088.396] lstrlenW (lpString=".jpg") returned 4 [0088.396] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0088.396] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0088.396] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0088.396] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0088.416] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=36233052) returned 1 [0088.416] CloseHandle (hObject=0x200) returned 1 [0088.416] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0088.416] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.416] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0088.417] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0088.417] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0088.418] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.418] ReadFile (in: hFile=0x200, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0088.922] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.922] ReadFile (in: hFile=0x200, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.177] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0089.177] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0089.177] ReadFile (in: hFile=0x200, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.406] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.407] WriteFile (in: hFile=0x200, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0089.581] SetEndOfFile (hFile=0x200) returned 1 [0089.581] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0089.581] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.581] WriteFile (in: hFile=0x200, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.726] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.726] WriteFile (in: hFile=0x200, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.727] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.727] WriteFile (in: hFile=0x200, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.730] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0089.733] CloseHandle (hObject=0x200) returned 1 [0089.733] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0089.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.734] lstrlenW (lpString=".doc") returned 4 [0089.734] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString=".docx") returned 5 [0089.734] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0089.734] lstrlenW (lpString=".pdf") returned 4 [0089.734] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString=".xls") returned 4 [0089.734] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString=".xlsx") returned 5 [0089.734] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0089.734] lstrlenW (lpString=".ppt") returned 4 [0089.734] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.734] lstrlenW (lpString=".zip") returned 4 [0089.734] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString=".rar") returned 4 [0089.734] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0089.734] lstrlenW (lpString=".bz2") returned 4 [0089.734] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0089.734] lstrlenW (lpString=".7z") returned 3 [0089.734] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0089.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.735] lstrlenW (lpString=".dbf") returned 4 [0089.735] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0089.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.735] lstrlenW (lpString=".1cd") returned 4 [0089.735] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0089.735] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.735] lstrlenW (lpString=".jpg") returned 4 [0089.735] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0089.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.973] lstrlenW (lpString=".doc") returned 4 [0089.973] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString=".docx") returned 5 [0089.973] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0089.973] lstrlenW (lpString=".pdf") returned 4 [0089.973] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString=".xls") returned 4 [0089.973] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString=".xlsx") returned 5 [0089.973] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0089.973] lstrlenW (lpString=".ppt") returned 4 [0089.973] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.973] lstrlenW (lpString=".zip") returned 4 [0089.973] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString=".rar") returned 4 [0089.973] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString=".bz2") returned 4 [0089.973] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0089.973] lstrlenW (lpString=".7z") returned 3 [0089.973] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0089.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.973] lstrlenW (lpString=".dbf") returned 4 [0089.973] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0089.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.973] lstrlenW (lpString=".1cd") returned 4 [0089.973] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0089.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0089.973] lstrlenW (lpString=".jpg") returned 4 [0089.974] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0089.974] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0089.974] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0089.974] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0089.987] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=27532288) returned 1 [0089.987] CloseHandle (hObject=0x20c) returned 1 [0089.991] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0089.991] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.991] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0089.992] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0089.993] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0x0) returned 1 [0089.993] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0089.997] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b60058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0090.022] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0090.022] ReadFile (in: hFile=0x1e8, lpBuffer=0x3ba0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ba0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0090.030] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x351fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0090.030] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc2c | out: lpNewFilePointer=0x0) returned 1 [0090.030] ReadFile (in: hFile=0x1e8, lpBuffer=0x3be0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x351fc38, lpOverlapped=0x0 | out: lpBuffer=0x3be0058*, lpNumberOfBytesRead=0x351fc38*=0x40000, lpOverlapped=0x0) returned 1 [0090.200] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0090.200] WriteFile (in: hFile=0x1e8, lpBuffer=0x3b60020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x351fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b60020*, lpNumberOfBytesWritten=0x351fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0090.220] SetEndOfFile (hFile=0x1e8) returned 1 [0090.613] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0090.613] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.613] WriteFile (in: hFile=0x1e8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.614] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.614] WriteFile (in: hFile=0x1e8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.619] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x351fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.619] WriteFile (in: hFile=0x1e8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x351fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x351fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.622] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0090.622] CloseHandle (hObject=0x1e8) returned 1 [0090.622] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0090.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.623] lstrlenW (lpString=".doc") returned 4 [0090.623] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0090.623] lstrlenW (lpString=".docx") returned 5 [0090.623] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0090.623] lstrlenW (lpString=".pdf") returned 4 [0090.623] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0090.623] lstrlenW (lpString=".xls") returned 4 [0090.623] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0090.623] lstrlenW (lpString=".xlsx") returned 5 [0090.623] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0090.623] lstrlenW (lpString=".ppt") returned 4 [0090.623] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0090.623] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.623] lstrlenW (lpString=".zip") returned 4 [0090.624] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0090.624] lstrlenW (lpString=".rar") returned 4 [0090.624] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0090.624] lstrlenW (lpString=".bz2") returned 4 [0090.624] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0090.624] lstrlenW (lpString=".7z") returned 3 [0090.624] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0090.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.624] lstrlenW (lpString=".dbf") returned 4 [0090.624] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0090.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.624] lstrlenW (lpString=".1cd") returned 4 [0090.624] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0090.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.624] lstrlenW (lpString=".jpg") returned 4 [0090.624] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0090.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.624] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.624] lstrlenW (lpString=".doc") returned 4 [0090.624] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0090.624] lstrlenW (lpString=".docx") returned 5 [0090.624] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0090.624] lstrlenW (lpString=".pdf") returned 4 [0090.624] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0090.625] lstrlenW (lpString=".xls") returned 4 [0090.625] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0090.625] lstrlenW (lpString=".xlsx") returned 5 [0090.625] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0090.625] lstrlenW (lpString=".ppt") returned 4 [0090.625] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0090.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.625] lstrlenW (lpString=".zip") returned 4 [0090.625] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0090.625] lstrlenW (lpString=".rar") returned 4 [0090.625] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0090.625] lstrlenW (lpString=".bz2") returned 4 [0090.625] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0090.625] lstrlenW (lpString=".7z") returned 3 [0090.625] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0090.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.625] lstrlenW (lpString=".dbf") returned 4 [0090.625] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0090.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.625] lstrlenW (lpString=".1cd") returned 4 [0090.625] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0090.625] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0090.625] lstrlenW (lpString=".jpg") returned 4 [0090.625] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0090.626] lstrcmpiW (lpString1=".exe", lpString2=".mnbzr") returned -1 [0090.626] lstrlenW (lpString="setup.exe") returned 9 [0090.626] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0092.897] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x351ff1c | out: lpFileSize=0x351ff1c*=1377656) returned 1 [0092.897] CloseHandle (hObject=0x1d0) returned 1 [0092.898] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0092.898] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.898] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0092.898] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.898] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x351fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.898] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 16 os_tid = 0x700 [0067.392] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x32429e8 [0067.392] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x32529f0 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d60 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1060 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d78 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x3c70020 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d90 [0067.393] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298d90, Size=0x20) returned 0x2df6a0 [0067.393] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d90 [0067.393] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298d90, Size=0x20) returned 0x2df678 [0067.394] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0067.394] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0067.394] Wow64DisableWow64FsRedirection (in: OldValue=0x365ff58 | out: OldValue=0x365ff58*=0x0) returned 1 [0067.394] lstrlenW (lpString="kernel32.dll") returned 12 [0067.394] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df6a0 | out: hHeap=0x240000) returned 1 [0067.394] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0067.394] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df678 | out: hHeap=0x240000) returned 1 [0067.394] Sleep (dwMilliseconds=0x64) [0067.528] lstrcmpiW (lpString1=".LOG2", lpString2=".mnbzr") returned -1 [0067.528] lstrlenW (lpString="BCD.LOG2") returned 8 [0067.528] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0067.919] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=0) returned 1 [0067.919] CloseHandle (hObject=0x1dc) returned 1 [0067.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.919] lstrlenW (lpString=".doc") returned 4 [0067.919] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".docx") returned 5 [0067.919] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0067.919] lstrlenW (lpString=".pdf") returned 4 [0067.919] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".xls") returned 4 [0067.919] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".xlsx") returned 5 [0067.919] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0067.919] lstrlenW (lpString=".ppt") returned 4 [0067.919] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.919] lstrlenW (lpString=".zip") returned 4 [0067.919] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".rar") returned 4 [0067.919] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".bz2") returned 4 [0067.919] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0067.919] lstrlenW (lpString=".7z") returned 3 [0067.919] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString=".dbf") returned 4 [0067.920] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString=".1cd") returned 4 [0067.920] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString=".jpg") returned 4 [0067.920] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString=".doc") returned 4 [0067.920] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString=".docx") returned 5 [0067.920] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0067.920] lstrlenW (lpString=".pdf") returned 4 [0067.920] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString=".xls") returned 4 [0067.920] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString=".xlsx") returned 5 [0067.920] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0067.920] lstrlenW (lpString=".ppt") returned 4 [0067.920] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.920] lstrlenW (lpString=".zip") returned 4 [0067.920] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0067.920] lstrlenW (lpString=".rar") returned 4 [0067.921] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0067.921] lstrlenW (lpString=".bz2") returned 4 [0067.921] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0067.921] lstrlenW (lpString=".7z") returned 3 [0067.921] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0067.921] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.921] lstrlenW (lpString=".dbf") returned 4 [0067.921] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0067.921] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.921] lstrlenW (lpString=".1cd") returned 4 [0067.921] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0067.921] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0067.921] lstrlenW (lpString=".jpg") returned 4 [0067.921] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0067.921] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0067.921] lstrlenW (lpString="PptLR.cab") returned 9 [0067.921] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0068.373] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=70361744) returned 1 [0068.373] CloseHandle (hObject=0x1b8) returned 1 [0068.373] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0068.373] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0068.373] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0068.374] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0068.374] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0068.374] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.374] ReadFile (in: hFile=0x1b8, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.525] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.525] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.969] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0069.969] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0069.969] ReadFile (in: hFile=0x1b8, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.858] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.858] WriteFile (in: hFile=0x1b8, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0070.875] SetEndOfFile (hFile=0x1b8) returned 1 [0070.875] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0071.268] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.268] WriteFile (in: hFile=0x1b8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.269] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.269] WriteFile (in: hFile=0x1b8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.270] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.270] WriteFile (in: hFile=0x1b8, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.271] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0071.353] CloseHandle (hObject=0x1b8) returned 1 [0074.452] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0074.452] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.453] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.453] lstrlenW (lpString=".doc") returned 4 [0074.453] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString=".docx") returned 5 [0074.453] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.453] lstrlenW (lpString=".pdf") returned 4 [0074.453] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString=".xls") returned 4 [0074.453] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString=".xlsx") returned 5 [0074.453] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.453] lstrlenW (lpString=".ppt") returned 4 [0074.453] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.453] lstrlenW (lpString=".zip") returned 4 [0074.453] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString=".rar") returned 4 [0074.453] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.453] lstrlenW (lpString=".bz2") returned 4 [0074.453] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.455] lstrlenW (lpString=".7z") returned 3 [0074.455] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.455] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".dbf") returned 4 [0074.456] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".1cd") returned 4 [0074.456] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".jpg") returned 4 [0074.456] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".doc") returned 4 [0074.456] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString=".docx") returned 5 [0074.456] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.456] lstrlenW (lpString=".pdf") returned 4 [0074.456] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString=".xls") returned 4 [0074.456] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString=".xlsx") returned 5 [0074.456] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.456] lstrlenW (lpString=".ppt") returned 4 [0074.456] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".zip") returned 4 [0074.456] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString=".rar") returned 4 [0074.456] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.456] lstrlenW (lpString=".bz2") returned 4 [0074.456] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.456] lstrlenW (lpString=".7z") returned 3 [0074.456] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.456] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.456] lstrlenW (lpString=".dbf") returned 4 [0074.456] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.457] lstrlenW (lpString=".1cd") returned 4 [0074.457] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0074.457] lstrlenW (lpString=".jpg") returned 4 [0074.457] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.457] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0074.457] lstrlenW (lpString="WordMUI.msi") returned 11 [0074.457] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0074.457] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=2522624) returned 1 [0074.457] CloseHandle (hObject=0x1f0) returned 1 [0074.457] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0074.457] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.458] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0074.458] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0074.458] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0074.458] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.458] ReadFile (in: hFile=0x1f0, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.530] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.530] ReadFile (in: hFile=0x1f0, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.647] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0074.647] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.647] ReadFile (in: hFile=0x1f0, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0075.306] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.307] WriteFile (in: hFile=0x1f0, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0075.326] SetEndOfFile (hFile=0x1f0) returned 1 [0075.326] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0075.326] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.326] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.328] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.328] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.334] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.334] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.337] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0075.337] CloseHandle (hObject=0x1f0) returned 1 [0076.122] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0076.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.122] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.122] lstrlenW (lpString=".doc") returned 4 [0076.122] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString=".docx") returned 5 [0076.123] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0076.123] lstrlenW (lpString=".pdf") returned 4 [0076.123] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0076.123] lstrlenW (lpString=".xls") returned 4 [0076.123] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0076.123] lstrlenW (lpString=".xlsx") returned 5 [0076.123] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0076.123] lstrlenW (lpString=".ppt") returned 4 [0076.123] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString=".zip") returned 4 [0076.123] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0076.123] lstrlenW (lpString=".rar") returned 4 [0076.123] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0076.123] lstrlenW (lpString=".bz2") returned 4 [0076.123] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString=".7z") returned 3 [0076.123] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString=".dbf") returned 4 [0076.123] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString=".1cd") returned 4 [0076.123] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString=".jpg") returned 4 [0076.123] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.123] lstrlenW (lpString=".doc") returned 4 [0076.123] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0076.123] lstrlenW (lpString=".docx") returned 5 [0076.124] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0076.124] lstrlenW (lpString=".pdf") returned 4 [0076.124] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0076.124] lstrlenW (lpString=".xls") returned 4 [0076.124] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0076.124] lstrlenW (lpString=".xlsx") returned 5 [0076.124] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0076.124] lstrlenW (lpString=".ppt") returned 4 [0076.124] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0076.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.124] lstrlenW (lpString=".zip") returned 4 [0076.124] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0076.124] lstrlenW (lpString=".rar") returned 4 [0076.124] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0076.124] lstrlenW (lpString=".bz2") returned 4 [0076.124] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0076.124] lstrlenW (lpString=".7z") returned 3 [0076.124] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0076.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.124] lstrlenW (lpString=".dbf") returned 4 [0076.124] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0076.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.124] lstrlenW (lpString=".1cd") returned 4 [0076.124] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0076.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0076.124] lstrlenW (lpString=".jpg") returned 4 [0076.124] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0076.124] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0076.124] lstrlenW (lpString="Proof.cab") returned 9 [0076.125] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0077.739] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=13642474) returned 1 [0077.739] CloseHandle (hObject=0x1f4) returned 1 [0077.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0077.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0077.739] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0077.817] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0077.817] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0077.817] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0077.817] ReadFile (in: hFile=0x1f4, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0077.917] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0077.917] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0077.926] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0077.927] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0077.927] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0078.006] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0078.007] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0078.280] SetEndOfFile (hFile=0x1f4) returned 1 [0078.280] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0078.467] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0078.467] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0078.468] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0078.469] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0078.470] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0078.470] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0078.472] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0078.476] CloseHandle (hObject=0x1f4) returned 1 [0081.202] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0081.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.202] lstrlenW (lpString=".doc") returned 4 [0081.202] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString=".docx") returned 5 [0081.202] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0081.202] lstrlenW (lpString=".pdf") returned 4 [0081.202] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString=".xls") returned 4 [0081.202] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString=".xlsx") returned 5 [0081.202] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0081.202] lstrlenW (lpString=".ppt") returned 4 [0081.202] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.202] lstrlenW (lpString=".zip") returned 4 [0081.202] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString=".rar") returned 4 [0081.202] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.202] lstrlenW (lpString=".bz2") returned 4 [0081.202] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.202] lstrlenW (lpString=".7z") returned 3 [0081.202] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".dbf") returned 4 [0081.203] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".1cd") returned 4 [0081.203] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".jpg") returned 4 [0081.203] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".doc") returned 4 [0081.203] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString=".docx") returned 5 [0081.203] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0081.203] lstrlenW (lpString=".pdf") returned 4 [0081.203] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString=".xls") returned 4 [0081.203] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString=".xlsx") returned 5 [0081.203] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0081.203] lstrlenW (lpString=".ppt") returned 4 [0081.203] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".zip") returned 4 [0081.203] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString=".rar") returned 4 [0081.203] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString=".bz2") returned 4 [0081.203] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.203] lstrlenW (lpString=".7z") returned 3 [0081.203] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.203] lstrlenW (lpString=".dbf") returned 4 [0081.203] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.204] lstrlenW (lpString=".1cd") returned 4 [0081.204] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0081.204] lstrlenW (lpString=".jpg") returned 4 [0081.204] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.204] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0081.204] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0081.204] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0081.204] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=3124224) returned 1 [0081.204] CloseHandle (hObject=0x1f4) returned 1 [0081.204] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0081.204] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.204] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0081.205] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0081.205] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0081.205] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0081.205] ReadFile (in: hFile=0x1f4, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0081.235] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0081.235] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0081.337] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0081.337] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0081.337] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0081.643] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0081.643] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0081.670] SetEndOfFile (hFile=0x1f4) returned 1 [0081.670] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0081.670] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0081.670] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0081.672] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0081.672] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0081.823] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0081.823] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0081.825] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0081.825] CloseHandle (hObject=0x1f4) returned 1 [0081.826] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0081.826] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.826] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.826] lstrlenW (lpString=".doc") returned 4 [0081.826] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0081.826] lstrlenW (lpString=".docx") returned 5 [0081.826] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0081.826] lstrlenW (lpString=".pdf") returned 4 [0081.826] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0081.826] lstrlenW (lpString=".xls") returned 4 [0081.826] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0081.826] lstrlenW (lpString=".xlsx") returned 5 [0081.826] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0081.826] lstrlenW (lpString=".ppt") returned 4 [0081.826] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0081.826] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.826] lstrlenW (lpString=".zip") returned 4 [0081.826] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0081.826] lstrlenW (lpString=".rar") returned 4 [0081.826] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0081.826] lstrlenW (lpString=".bz2") returned 4 [0081.826] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0081.826] lstrlenW (lpString=".7z") returned 3 [0081.827] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".dbf") returned 4 [0081.827] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".1cd") returned 4 [0081.827] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".jpg") returned 4 [0081.827] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".doc") returned 4 [0081.827] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0081.827] lstrlenW (lpString=".docx") returned 5 [0081.827] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0081.827] lstrlenW (lpString=".pdf") returned 4 [0081.827] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0081.827] lstrlenW (lpString=".xls") returned 4 [0081.827] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0081.827] lstrlenW (lpString=".xlsx") returned 5 [0081.827] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0081.827] lstrlenW (lpString=".ppt") returned 4 [0081.827] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".zip") returned 4 [0081.827] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0081.827] lstrlenW (lpString=".rar") returned 4 [0081.827] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0081.827] lstrlenW (lpString=".bz2") returned 4 [0081.827] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0081.827] lstrlenW (lpString=".7z") returned 3 [0081.827] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0081.827] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.827] lstrlenW (lpString=".dbf") returned 4 [0081.827] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0081.828] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.828] lstrlenW (lpString=".1cd") returned 4 [0081.828] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0081.828] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0081.828] lstrlenW (lpString=".jpg") returned 4 [0081.828] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0081.828] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0081.828] lstrlenW (lpString="VisioMUI.msi") returned 12 [0081.828] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0081.828] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=2797568) returned 1 [0081.828] CloseHandle (hObject=0x1f4) returned 1 [0081.828] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0081.828] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.828] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0081.829] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0081.829] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0081.829] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0081.829] ReadFile (in: hFile=0x1f4, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.150] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.150] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.400] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0082.400] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.400] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.687] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.688] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0083.049] SetEndOfFile (hFile=0x1f4) returned 1 [0083.049] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0083.049] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.049] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.051] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.051] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.059] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0083.059] WriteFile (in: hFile=0x1f4, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.062] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0083.062] CloseHandle (hObject=0x1f4) returned 1 [0083.062] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0083.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.063] lstrlenW (lpString=".doc") returned 4 [0083.063] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.063] lstrlenW (lpString=".docx") returned 5 [0083.063] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.063] lstrlenW (lpString=".pdf") returned 4 [0083.063] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.063] lstrlenW (lpString=".xls") returned 4 [0083.063] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.063] lstrlenW (lpString=".xlsx") returned 5 [0083.063] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.063] lstrlenW (lpString=".ppt") returned 4 [0083.063] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.063] lstrlenW (lpString=".zip") returned 4 [0083.063] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.063] lstrlenW (lpString=".rar") returned 4 [0083.063] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.063] lstrlenW (lpString=".bz2") returned 4 [0083.063] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.063] lstrlenW (lpString=".7z") returned 3 [0083.063] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.063] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.063] lstrlenW (lpString=".dbf") returned 4 [0083.063] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.064] lstrlenW (lpString=".1cd") returned 4 [0083.064] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.064] lstrlenW (lpString=".jpg") returned 4 [0083.064] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.064] lstrlenW (lpString=".doc") returned 4 [0083.064] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.064] lstrlenW (lpString=".docx") returned 5 [0083.064] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.064] lstrlenW (lpString=".pdf") returned 4 [0083.064] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.064] lstrlenW (lpString=".xls") returned 4 [0083.064] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.064] lstrlenW (lpString=".xlsx") returned 5 [0083.064] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.064] lstrlenW (lpString=".ppt") returned 4 [0083.064] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.064] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.064] lstrlenW (lpString=".zip") returned 4 [0083.064] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.064] lstrlenW (lpString=".rar") returned 4 [0083.064] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.065] lstrlenW (lpString=".bz2") returned 4 [0083.065] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.065] lstrlenW (lpString=".7z") returned 3 [0083.065] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.065] lstrlenW (lpString=".dbf") returned 4 [0083.065] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.065] lstrlenW (lpString=".1cd") returned 4 [0083.065] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0083.065] lstrlenW (lpString=".jpg") returned 4 [0083.065] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.065] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0083.065] lstrlenW (lpString="GrooveLR.cab") returned 12 [0083.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0083.066] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=4095519) returned 1 [0083.066] CloseHandle (hObject=0x1f4) returned 1 [0083.066] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0083.066] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.066] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0083.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0083.067] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0083.067] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0083.067] ReadFile (in: hFile=0x1f4, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.840] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0083.841] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.848] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0083.848] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0083.848] ReadFile (in: hFile=0x1f4, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.867] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.867] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0084.059] SetEndOfFile (hFile=0x1f4) returned 1 [0084.059] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0084.064] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.064] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.066] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.066] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.068] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.068] WriteFile (in: hFile=0x1f4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.071] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0084.071] CloseHandle (hObject=0x1f4) returned 1 [0084.072] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0084.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.072] lstrlenW (lpString=".doc") returned 4 [0084.072] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0084.072] lstrlenW (lpString=".docx") returned 5 [0084.072] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0084.072] lstrlenW (lpString=".pdf") returned 4 [0084.072] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0084.072] lstrlenW (lpString=".xls") returned 4 [0084.072] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0084.072] lstrlenW (lpString=".xlsx") returned 5 [0084.072] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0084.072] lstrlenW (lpString=".ppt") returned 4 [0084.072] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0084.072] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString=".zip") returned 4 [0084.073] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString=".rar") returned 4 [0084.073] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString=".bz2") returned 4 [0084.073] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0084.073] lstrlenW (lpString=".7z") returned 3 [0084.073] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0084.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString=".dbf") returned 4 [0084.073] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString=".1cd") returned 4 [0084.073] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0084.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString=".jpg") returned 4 [0084.073] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.073] lstrlenW (lpString=".doc") returned 4 [0084.073] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString=".docx") returned 5 [0084.073] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0084.073] lstrlenW (lpString=".pdf") returned 4 [0084.073] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString=".xls") returned 4 [0084.073] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0084.073] lstrlenW (lpString=".xlsx") returned 5 [0084.073] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0084.073] lstrlenW (lpString=".ppt") returned 4 [0084.073] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0084.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.074] lstrlenW (lpString=".zip") returned 4 [0084.074] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0084.074] lstrlenW (lpString=".rar") returned 4 [0084.074] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0084.074] lstrlenW (lpString=".bz2") returned 4 [0084.074] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0084.074] lstrlenW (lpString=".7z") returned 3 [0084.074] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0084.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.074] lstrlenW (lpString=".dbf") returned 4 [0084.074] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0084.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.074] lstrlenW (lpString=".1cd") returned 4 [0084.074] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0084.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0084.074] lstrlenW (lpString=".jpg") returned 4 [0084.074] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0084.074] lstrcmpiW (lpString1=".EXE", lpString2=".mnbzr") returned -1 [0084.074] lstrlenW (lpString="DW20.EXE") returned 8 [0084.074] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0085.561] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=838536) returned 1 [0085.561] CloseHandle (hObject=0x1e4) returned 1 [0085.561] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0085.561] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.604] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0085.604] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.604] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.604] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0086.283] GetLastError () returned 0x0 [0086.283] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0086.323] WriteFile (in: hFile=0x204, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0086.555] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.555] WriteFile (in: hFile=0x204, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0086.555] SetEndOfFile (hFile=0x204) returned 1 [0086.555] CloseHandle (hObject=0x204) returned 1 [0086.555] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.555] SetEndOfFile (hFile=0x1e4) returned 1 [0086.565] CloseHandle (hObject=0x1e4) returned 1 [0086.565] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.566] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0086.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.566] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.566] lstrlenW (lpString=".doc") returned 4 [0086.566] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0086.566] lstrlenW (lpString=".docx") returned 5 [0086.566] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0086.566] lstrlenW (lpString=".pdf") returned 4 [0086.566] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0086.566] lstrlenW (lpString=".xls") returned 4 [0086.566] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0086.566] lstrlenW (lpString=".xlsx") returned 5 [0086.566] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0086.567] lstrlenW (lpString=".ppt") returned 4 [0086.567] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString=".zip") returned 4 [0086.567] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0086.567] lstrlenW (lpString=".rar") returned 4 [0086.567] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0086.567] lstrlenW (lpString=".bz2") returned 4 [0086.567] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0086.567] lstrlenW (lpString=".7z") returned 3 [0086.567] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString=".dbf") returned 4 [0086.567] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString=".1cd") returned 4 [0086.567] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString=".jpg") returned 4 [0086.567] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.567] lstrlenW (lpString=".doc") returned 4 [0086.567] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0086.567] lstrlenW (lpString=".docx") returned 5 [0086.568] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0086.568] lstrlenW (lpString=".pdf") returned 4 [0086.568] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0086.568] lstrlenW (lpString=".xls") returned 4 [0086.568] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0086.568] lstrlenW (lpString=".xlsx") returned 5 [0086.568] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0086.568] lstrlenW (lpString=".ppt") returned 4 [0086.568] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0086.568] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.568] lstrlenW (lpString=".zip") returned 4 [0086.568] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0086.568] lstrlenW (lpString=".rar") returned 4 [0086.568] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0086.568] lstrlenW (lpString=".bz2") returned 4 [0086.568] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0086.568] lstrlenW (lpString=".7z") returned 3 [0086.568] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0086.568] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.568] lstrlenW (lpString=".dbf") returned 4 [0086.568] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0086.568] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.568] lstrlenW (lpString=".1cd") returned 4 [0086.568] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0086.568] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0086.568] lstrlenW (lpString=".jpg") returned 4 [0086.568] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0086.569] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0086.569] lstrlenW (lpString="osetupui.dll") returned 12 [0086.569] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0086.569] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=191872) returned 1 [0086.569] CloseHandle (hObject=0x1e4) returned 1 [0086.569] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0086.570] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.570] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0086.570] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.570] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.570] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0086.570] GetLastError () returned 0x0 [0086.570] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0086.608] WriteFile (in: hFile=0x204, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0086.971] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0x0, lpOverlapped=0x0) returned 1 [0086.971] WriteFile (in: hFile=0x204, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.971] SetEndOfFile (hFile=0x204) returned 1 [0086.971] CloseHandle (hObject=0x204) returned 1 [0086.971] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.971] SetEndOfFile (hFile=0x1e4) returned 1 [0086.974] CloseHandle (hObject=0x1e4) returned 1 [0086.974] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0087.246] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0087.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.644] lstrlenW (lpString=".doc") returned 4 [0087.644] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0087.644] lstrlenW (lpString=".docx") returned 5 [0087.644] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0087.644] lstrlenW (lpString=".pdf") returned 4 [0087.644] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString=".xls") returned 4 [0087.645] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString=".xlsx") returned 5 [0087.645] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0087.645] lstrlenW (lpString=".ppt") returned 4 [0087.645] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString=".zip") returned 4 [0087.645] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString=".rar") returned 4 [0087.645] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString=".bz2") returned 4 [0087.645] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0087.645] lstrlenW (lpString=".7z") returned 3 [0087.645] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString=".dbf") returned 4 [0087.645] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString=".1cd") returned 4 [0087.645] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString=".jpg") returned 4 [0087.645] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.645] lstrlenW (lpString=".doc") returned 4 [0087.646] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString=".docx") returned 5 [0087.646] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0087.646] lstrlenW (lpString=".pdf") returned 4 [0087.646] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString=".xls") returned 4 [0087.646] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString=".xlsx") returned 5 [0087.646] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0087.646] lstrlenW (lpString=".ppt") returned 4 [0087.646] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.646] lstrlenW (lpString=".zip") returned 4 [0087.646] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString=".rar") returned 4 [0087.646] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0087.646] lstrlenW (lpString=".bz2") returned 4 [0087.646] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0087.646] lstrlenW (lpString=".7z") returned 3 [0087.646] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0087.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.646] lstrlenW (lpString=".dbf") returned 4 [0087.646] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0087.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.646] lstrlenW (lpString=".1cd") returned 4 [0087.646] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0087.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0087.646] lstrlenW (lpString=".jpg") returned 4 [0087.647] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0087.647] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0087.647] lstrlenW (lpString="osetup.dll") returned 10 [0087.647] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0088.213] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=7378792) returned 1 [0088.213] CloseHandle (hObject=0x1cc) returned 1 [0088.213] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0088.223] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.229] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0088.234] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0088.234] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0088.234] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.234] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0088.451] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.451] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0088.968] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0088.968] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.968] ReadFile (in: hFile=0x1b0, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.219] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.219] WriteFile (in: hFile=0x1b0, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0089.620] SetEndOfFile (hFile=0x1b0) returned 1 [0089.620] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0089.625] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.625] WriteFile (in: hFile=0x1b0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.627] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.627] WriteFile (in: hFile=0x1b0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.630] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x365fc7c | out: lpNewFilePointer=0x0) returned 1 [0089.630] WriteFile (in: hFile=0x1b0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x365fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x365fc88*=0x40000, lpOverlapped=0x0) returned 1 [0089.631] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0089.631] CloseHandle (hObject=0x1b0) returned 1 [0089.632] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0089.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.632] lstrlenW (lpString=".doc") returned 4 [0089.632] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0089.632] lstrlenW (lpString=".docx") returned 5 [0089.632] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0089.632] lstrlenW (lpString=".pdf") returned 4 [0089.632] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0089.632] lstrlenW (lpString=".xls") returned 4 [0089.632] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0089.632] lstrlenW (lpString=".xlsx") returned 5 [0089.632] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0089.632] lstrlenW (lpString=".ppt") returned 4 [0089.632] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0089.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.632] lstrlenW (lpString=".zip") returned 4 [0089.633] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString=".rar") returned 4 [0089.633] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString=".bz2") returned 4 [0089.633] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0089.633] lstrlenW (lpString=".7z") returned 3 [0089.633] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0089.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.633] lstrlenW (lpString=".dbf") returned 4 [0089.633] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0089.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.633] lstrlenW (lpString=".1cd") returned 4 [0089.633] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0089.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.633] lstrlenW (lpString=".jpg") returned 4 [0089.633] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.633] lstrlenW (lpString=".doc") returned 4 [0089.633] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString=".docx") returned 5 [0089.633] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0089.633] lstrlenW (lpString=".pdf") returned 4 [0089.633] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString=".xls") returned 4 [0089.633] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0089.633] lstrlenW (lpString=".xlsx") returned 5 [0089.633] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0089.633] lstrlenW (lpString=".ppt") returned 4 [0089.634] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0089.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.634] lstrlenW (lpString=".zip") returned 4 [0089.634] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0089.634] lstrlenW (lpString=".rar") returned 4 [0089.634] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0089.634] lstrlenW (lpString=".bz2") returned 4 [0089.634] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0089.634] lstrlenW (lpString=".7z") returned 3 [0089.634] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0089.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.634] lstrlenW (lpString=".dbf") returned 4 [0089.634] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0089.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.634] lstrlenW (lpString=".1cd") returned 4 [0089.634] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0089.634] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0089.634] lstrlenW (lpString=".jpg") returned 4 [0089.634] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0089.634] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mnbzr") returned 1 [0089.634] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0089.634] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0089.635] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=715834) returned 1 [0089.635] CloseHandle (hObject=0x1b0) returned 1 [0089.635] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0089.635] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0089.635] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0089.635] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.635] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.635] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0089.636] GetLastError () returned 0x0 [0089.636] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0089.887] WriteFile (in: hFile=0x214, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0089.900] ReadFile (in: hFile=0x1b0, lpBuffer=0x3c70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x365fed4, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesRead=0x365fed4*=0x0, lpOverlapped=0x0) returned 1 [0089.900] WriteFile (in: hFile=0x214, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x365fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fc9c*=0x104, lpOverlapped=0x0) returned 1 [0089.900] SetEndOfFile (hFile=0x214) returned 1 [0089.901] CloseHandle (hObject=0x214) returned 1 [0089.901] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.901] SetEndOfFile (hFile=0x1b0) returned 1 [0089.908] CloseHandle (hObject=0x1b0) returned 1 [0089.908] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0089.909] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0089.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0089.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0089.909] lstrlenW (lpString=".doc") returned 4 [0089.909] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0089.909] lstrlenW (lpString=".docx") returned 5 [0089.909] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0089.909] lstrlenW (lpString=".pdf") returned 4 [0089.909] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0089.909] lstrlenW (lpString=".xls") returned 4 [0089.909] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0089.909] lstrlenW (lpString=".xlsx") returned 5 [0089.909] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0089.909] lstrlenW (lpString=".ppt") returned 4 [0089.909] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0089.909] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0089.909] lstrlenW (lpString=".zip") returned 4 [0089.909] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0089.910] lstrlenW (lpString=".rar") returned 4 [0089.910] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0089.910] lstrlenW (lpString=".bz2") returned 4 [0090.185] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0090.185] lstrlenW (lpString=".7z") returned 3 [0090.185] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0090.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.185] lstrlenW (lpString=".dbf") returned 4 [0090.185] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0090.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.185] lstrlenW (lpString=".1cd") returned 4 [0090.185] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0090.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.185] lstrlenW (lpString=".jpg") returned 4 [0090.185] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0090.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.185] lstrlenW (lpString=".doc") returned 4 [0090.185] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0090.185] lstrlenW (lpString=".docx") returned 5 [0090.186] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0090.186] lstrlenW (lpString=".pdf") returned 4 [0090.186] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString=".xls") returned 4 [0090.186] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString=".xlsx") returned 5 [0090.186] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0090.186] lstrlenW (lpString=".ppt") returned 4 [0090.186] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.186] lstrlenW (lpString=".zip") returned 4 [0090.186] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString=".rar") returned 4 [0090.186] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString=".bz2") returned 4 [0090.186] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString=".7z") returned 3 [0090.186] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0090.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.186] lstrlenW (lpString=".dbf") returned 4 [0090.186] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.186] lstrlenW (lpString=".1cd") returned 4 [0090.186] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0090.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0090.186] lstrlenW (lpString=".jpg") returned 4 [0090.186] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0090.187] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0090.187] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0090.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0092.586] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x365ff1c | out: lpFileSize=0x365ff1c*=222948913) returned 1 [0092.586] CloseHandle (hObject=0x1e8) returned 1 [0092.586] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0092.587] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.587] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0092.588] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0092.588] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0x0) returned 1 [0092.588] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.588] ReadFile (in: hFile=0x1e8, lpBuffer=0x3c70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c70058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.614] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.615] ReadFile (in: hFile=0x1e8, lpBuffer=0x3cb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cb0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.625] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x365fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0092.625] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x365fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.625] ReadFile (in: hFile=0x1e8, lpBuffer=0x3cf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x365fc38, lpOverlapped=0x0 | out: lpBuffer=0x3cf0058*, lpNumberOfBytesRead=0x365fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.968] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x365fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.968] WriteFile (in: hFile=0x1e8, lpBuffer=0x3c70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x365fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c70020*, lpNumberOfBytesWritten=0x365fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0092.988] SetEndOfFile (hFile=0x1e8) Thread: id = 17 os_tid = 0x518 [0067.400] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x32629f8 [0067.401] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x3272a00 [0067.401] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298d90 [0067.401] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1070 [0067.402] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298da8 [0067.402] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x3d80020 [0067.402] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298dc0 [0067.402] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298dc0, Size=0x20) returned 0x2df678 [0067.402] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298dc0 [0067.402] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298dc0, Size=0x20) returned 0x2df6a0 [0067.402] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0067.402] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0067.402] Wow64DisableWow64FsRedirection (in: OldValue=0x379ff58 | out: OldValue=0x379ff58*=0x0) returned 1 [0067.402] lstrlenW (lpString="kernel32.dll") returned 12 [0067.402] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df678 | out: hHeap=0x240000) returned 1 [0067.402] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0067.402] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df6a0 | out: hHeap=0x240000) returned 1 [0067.403] Sleep (dwMilliseconds=0x64) [0067.598] lstrcmpiW (lpString1=".ttf", lpString2=".mnbzr") returned 1 [0067.598] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0067.599] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0067.875] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=1984228) returned 1 [0067.875] CloseHandle (hObject=0x1d0) returned 1 [0067.875] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0067.875] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.875] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0067.875] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.875] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.875] lstrlenW (lpString=".doc") returned 4 [0067.876] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString=".docx") returned 5 [0067.876] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0067.876] lstrlenW (lpString=".pdf") returned 4 [0067.876] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString=".xls") returned 4 [0067.876] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0067.876] lstrlenW (lpString=".xlsx") returned 5 [0067.876] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0067.876] lstrlenW (lpString=".ppt") returned 4 [0067.876] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.876] lstrlenW (lpString=".zip") returned 4 [0067.876] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0067.876] lstrlenW (lpString=".rar") returned 4 [0067.876] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString=".bz2") returned 4 [0067.876] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString=".7z") returned 3 [0067.876] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0067.876] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.876] lstrlenW (lpString=".dbf") returned 4 [0067.876] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.876] lstrlenW (lpString=".1cd") returned 4 [0067.876] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0067.876] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.877] lstrlenW (lpString=".jpg") returned 4 [0067.877] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.877] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.877] lstrlenW (lpString=".doc") returned 4 [0067.877] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString=".docx") returned 5 [0067.877] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0067.877] lstrlenW (lpString=".pdf") returned 4 [0067.877] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString=".xls") returned 4 [0067.877] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0067.877] lstrlenW (lpString=".xlsx") returned 5 [0067.877] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0067.877] lstrlenW (lpString=".ppt") returned 4 [0067.877] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.877] lstrlenW (lpString=".zip") returned 4 [0067.877] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0067.877] lstrlenW (lpString=".rar") returned 4 [0067.877] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString=".bz2") returned 4 [0067.877] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0067.877] lstrlenW (lpString=".7z") returned 3 [0067.877] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0067.877] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.878] lstrlenW (lpString=".dbf") returned 4 [0067.878] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0067.878] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.878] lstrlenW (lpString=".1cd") returned 4 [0067.878] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0067.878] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0067.878] lstrlenW (lpString=".jpg") returned 4 [0067.878] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0067.878] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0067.878] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0067.878] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0067.878] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=2506240) returned 1 [0067.878] CloseHandle (hObject=0x1d0) returned 1 [0067.878] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0067.879] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.879] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0067.879] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0067.880] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0067.880] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.880] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.980] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0067.980] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0068.093] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0068.093] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0068.093] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.318] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0069.319] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0069.339] SetEndOfFile (hFile=0x1d0) returned 1 [0069.339] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40897c0 [0069.502] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.502] WriteFile (in: hFile=0x1d0, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.503] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.503] WriteFile (in: hFile=0x1d0, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.510] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0069.511] WriteFile (in: hFile=0x1d0, lpBuffer=0x40897c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40897c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.515] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40897c0 | out: hHeap=0x240000) returned 1 [0069.515] CloseHandle (hObject=0x1d0) returned 1 [0070.271] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0070.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.272] lstrlenW (lpString=".doc") returned 4 [0070.272] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.272] lstrlenW (lpString=".docx") returned 5 [0070.272] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0070.272] lstrlenW (lpString=".pdf") returned 4 [0070.272] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.272] lstrlenW (lpString=".xls") returned 4 [0070.272] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.272] lstrlenW (lpString=".xlsx") returned 5 [0070.272] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0070.272] lstrlenW (lpString=".ppt") returned 4 [0070.272] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.272] lstrlenW (lpString=".zip") returned 4 [0070.272] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.272] lstrlenW (lpString=".rar") returned 4 [0070.272] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.272] lstrlenW (lpString=".bz2") returned 4 [0070.272] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.272] lstrlenW (lpString=".7z") returned 3 [0070.272] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.273] lstrlenW (lpString=".dbf") returned 4 [0070.273] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.273] lstrlenW (lpString=".1cd") returned 4 [0070.273] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.273] lstrlenW (lpString=".jpg") returned 4 [0070.273] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.273] lstrlenW (lpString=".doc") returned 4 [0070.273] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0070.273] lstrlenW (lpString=".docx") returned 5 [0070.273] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0070.273] lstrlenW (lpString=".pdf") returned 4 [0070.273] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0070.273] lstrlenW (lpString=".xls") returned 4 [0070.273] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0070.273] lstrlenW (lpString=".xlsx") returned 5 [0070.274] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0070.274] lstrlenW (lpString=".ppt") returned 4 [0070.274] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0070.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.274] lstrlenW (lpString=".zip") returned 4 [0070.274] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0070.274] lstrlenW (lpString=".rar") returned 4 [0070.274] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0070.274] lstrlenW (lpString=".bz2") returned 4 [0070.274] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0070.274] lstrlenW (lpString=".7z") returned 3 [0070.274] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0070.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.274] lstrlenW (lpString=".dbf") returned 4 [0070.274] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0070.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.274] lstrlenW (lpString=".1cd") returned 4 [0070.274] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0070.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0070.274] lstrlenW (lpString=".jpg") returned 4 [0070.274] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0070.275] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0070.275] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0070.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0070.275] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=2513920) returned 1 [0070.275] CloseHandle (hObject=0x1d0) returned 1 [0070.275] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0070.276] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0070.276] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0070.277] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0070.277] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0070.277] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.277] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.476] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.476] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.674] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0070.674] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0070.674] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0070.809] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0070.809] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0070.829] SetEndOfFile (hFile=0x1d0) returned 1 [0070.830] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0071.249] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.250] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.252] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.252] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.260] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0071.261] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0071.265] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0071.336] CloseHandle (hObject=0x1d0) returned 1 [0071.846] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0071.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.846] lstrlenW (lpString=".doc") returned 4 [0071.846] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0071.846] lstrlenW (lpString=".docx") returned 5 [0071.846] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0071.846] lstrlenW (lpString=".pdf") returned 4 [0071.846] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0071.846] lstrlenW (lpString=".xls") returned 4 [0071.846] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0071.846] lstrlenW (lpString=".xlsx") returned 5 [0071.846] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0071.846] lstrlenW (lpString=".ppt") returned 4 [0071.846] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0071.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.846] lstrlenW (lpString=".zip") returned 4 [0071.847] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0071.847] lstrlenW (lpString=".rar") returned 4 [0071.847] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0071.847] lstrlenW (lpString=".bz2") returned 4 [0071.847] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0071.847] lstrlenW (lpString=".7z") returned 3 [0071.847] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0071.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.847] lstrlenW (lpString=".dbf") returned 4 [0071.847] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0071.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.847] lstrlenW (lpString=".1cd") returned 4 [0071.847] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0071.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.847] lstrlenW (lpString=".jpg") returned 4 [0071.847] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0071.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.847] lstrlenW (lpString=".doc") returned 4 [0071.847] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0071.847] lstrlenW (lpString=".docx") returned 5 [0071.847] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0071.847] lstrlenW (lpString=".pdf") returned 4 [0071.847] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0071.847] lstrlenW (lpString=".xls") returned 4 [0071.847] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0071.847] lstrlenW (lpString=".xlsx") returned 5 [0071.847] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0071.847] lstrlenW (lpString=".ppt") returned 4 [0071.847] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0071.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.848] lstrlenW (lpString=".zip") returned 4 [0071.848] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0071.848] lstrlenW (lpString=".rar") returned 4 [0071.848] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0071.848] lstrlenW (lpString=".bz2") returned 4 [0071.848] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0071.848] lstrlenW (lpString=".7z") returned 3 [0071.848] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0071.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.848] lstrlenW (lpString=".dbf") returned 4 [0071.848] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0071.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.848] lstrlenW (lpString=".1cd") returned 4 [0071.848] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0071.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0071.848] lstrlenW (lpString=".jpg") returned 4 [0071.848] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0071.848] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0071.848] lstrlenW (lpString="OutlkLR.cab") returned 11 [0071.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0071.849] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=14819276) returned 1 [0071.849] CloseHandle (hObject=0x1d0) returned 1 [0071.849] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0071.849] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0071.849] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0071.849] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0071.849] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0071.850] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0071.850] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0071.854] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0071.854] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0071.861] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0071.861] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0071.861] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0071.882] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0071.883] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0072.072] SetEndOfFile (hFile=0x1d0) returned 1 [0072.072] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0072.077] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0072.077] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0072.078] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0072.078] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0072.079] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0072.079] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0072.081] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0072.081] CloseHandle (hObject=0x1d0) returned 1 [0074.731] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString=".doc") returned 4 [0074.732] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString=".docx") returned 5 [0074.732] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.732] lstrlenW (lpString=".pdf") returned 4 [0074.732] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString=".xls") returned 4 [0074.732] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString=".xlsx") returned 5 [0074.732] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.732] lstrlenW (lpString=".ppt") returned 4 [0074.732] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString=".zip") returned 4 [0074.732] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString=".rar") returned 4 [0074.732] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString=".bz2") returned 4 [0074.732] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.732] lstrlenW (lpString=".7z") returned 3 [0074.732] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString=".dbf") returned 4 [0074.732] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString=".1cd") returned 4 [0074.732] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.732] lstrlenW (lpString=".jpg") returned 4 [0074.733] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString=".doc") returned 4 [0074.733] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString=".docx") returned 5 [0074.733] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0074.733] lstrlenW (lpString=".pdf") returned 4 [0074.733] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString=".xls") returned 4 [0074.733] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString=".xlsx") returned 5 [0074.733] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0074.733] lstrlenW (lpString=".ppt") returned 4 [0074.733] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString=".zip") returned 4 [0074.733] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString=".rar") returned 4 [0074.733] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString=".bz2") returned 4 [0074.733] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0074.733] lstrlenW (lpString=".7z") returned 3 [0074.733] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString=".dbf") returned 4 [0074.733] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString=".1cd") returned 4 [0074.733] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0074.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0074.733] lstrlenW (lpString=".jpg") returned 4 [0074.733] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0074.734] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0074.734] lstrlenW (lpString="Proof.cab") returned 9 [0074.734] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0074.734] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=11482605) returned 1 [0074.734] CloseHandle (hObject=0x1d0) returned 1 [0074.734] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0074.734] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0074.734] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0074.752] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0074.753] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0074.753] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0074.753] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0075.419] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0075.419] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0075.436] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0075.436] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0075.436] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0075.457] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0075.457] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0075.479] SetEndOfFile (hFile=0x1d0) returned 1 [0075.479] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0075.479] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.479] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.756] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.756] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.759] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0075.759] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0075.762] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0075.762] CloseHandle (hObject=0x1d0) returned 1 [0079.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0079.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.538] lstrlenW (lpString=".doc") returned 4 [0079.538] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString=".docx") returned 5 [0079.538] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0079.538] lstrlenW (lpString=".pdf") returned 4 [0079.538] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString=".xls") returned 4 [0079.538] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString=".xlsx") returned 5 [0079.538] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0079.538] lstrlenW (lpString=".ppt") returned 4 [0079.538] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.538] lstrlenW (lpString=".zip") returned 4 [0079.538] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString=".rar") returned 4 [0079.538] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0079.538] lstrlenW (lpString=".bz2") returned 4 [0079.538] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0079.538] lstrlenW (lpString=".7z") returned 3 [0079.538] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0079.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString=".dbf") returned 4 [0079.539] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString=".1cd") returned 4 [0079.539] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0079.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString=".jpg") returned 4 [0079.539] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString=".doc") returned 4 [0079.539] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString=".docx") returned 5 [0079.539] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0079.539] lstrlenW (lpString=".pdf") returned 4 [0079.539] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString=".xls") returned 4 [0079.539] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString=".xlsx") returned 5 [0079.539] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0079.539] lstrlenW (lpString=".ppt") returned 4 [0079.539] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.539] lstrlenW (lpString=".zip") returned 4 [0079.539] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0079.539] lstrlenW (lpString=".rar") returned 4 [0079.539] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0079.540] lstrlenW (lpString=".bz2") returned 4 [0079.540] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0079.540] lstrlenW (lpString=".7z") returned 3 [0079.540] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0079.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.540] lstrlenW (lpString=".dbf") returned 4 [0079.540] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0079.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.540] lstrlenW (lpString=".1cd") returned 4 [0079.540] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0079.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0079.540] lstrlenW (lpString=".jpg") returned 4 [0079.540] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0079.540] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0079.540] lstrlenW (lpString="Office32MUI.msi") returned 15 [0079.540] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0079.541] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=873984) returned 1 [0079.541] CloseHandle (hObject=0x1d0) returned 1 [0079.541] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0079.541] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.541] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0079.541] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.541] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0079.541] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0079.542] GetLastError () returned 0x0 [0079.542] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0xd5600, lpOverlapped=0x0) returned 1 [0079.829] WriteFile (in: hFile=0x1e8, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0080.234] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x0, lpOverlapped=0x0) returned 1 [0080.234] WriteFile (in: hFile=0x1e8, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0080.234] SetEndOfFile (hFile=0x1e8) returned 1 [0080.235] CloseHandle (hObject=0x1e8) returned 1 [0080.245] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.245] SetEndOfFile (hFile=0x1d0) returned 1 [0080.255] CloseHandle (hObject=0x1d0) returned 1 [0080.256] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0080.256] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0080.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.256] lstrlenW (lpString=".doc") returned 4 [0080.256] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0080.256] lstrlenW (lpString=".docx") returned 5 [0080.256] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0080.256] lstrlenW (lpString=".pdf") returned 4 [0080.257] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0080.257] lstrlenW (lpString=".xls") returned 4 [0080.257] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0080.257] lstrlenW (lpString=".xlsx") returned 5 [0080.257] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0080.257] lstrlenW (lpString=".ppt") returned 4 [0080.257] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.257] lstrlenW (lpString=".zip") returned 4 [0080.257] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0080.257] lstrlenW (lpString=".rar") returned 4 [0080.257] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0080.257] lstrlenW (lpString=".bz2") returned 4 [0080.257] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0080.257] lstrlenW (lpString=".7z") returned 3 [0080.257] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.257] lstrlenW (lpString=".dbf") returned 4 [0080.257] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.257] lstrlenW (lpString=".1cd") returned 4 [0080.257] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.257] lstrlenW (lpString=".jpg") returned 4 [0080.257] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.258] lstrlenW (lpString=".doc") returned 4 [0080.258] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0080.258] lstrlenW (lpString=".docx") returned 5 [0080.258] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0080.258] lstrlenW (lpString=".pdf") returned 4 [0080.258] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0080.258] lstrlenW (lpString=".xls") returned 4 [0080.258] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0080.258] lstrlenW (lpString=".xlsx") returned 5 [0080.258] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0080.258] lstrlenW (lpString=".ppt") returned 4 [0080.258] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0080.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.258] lstrlenW (lpString=".zip") returned 4 [0080.258] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0080.258] lstrlenW (lpString=".rar") returned 4 [0080.258] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0080.258] lstrlenW (lpString=".bz2") returned 4 [0080.258] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0080.258] lstrlenW (lpString=".7z") returned 3 [0080.258] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0080.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.258] lstrlenW (lpString=".dbf") returned 4 [0080.258] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0080.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.258] lstrlenW (lpString=".1cd") returned 4 [0080.258] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0080.258] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0080.259] lstrlenW (lpString=".jpg") returned 4 [0080.259] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0080.259] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0080.259] lstrlenW (lpString="InfLR.cab") returned 9 [0080.259] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0080.259] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=18874884) returned 1 [0080.259] CloseHandle (hObject=0x1d0) returned 1 [0080.260] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0080.260] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0080.260] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0080.260] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0080.260] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0080.261] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0080.261] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0080.266] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0080.266] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0080.279] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0080.279] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0080.279] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0080.302] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0080.302] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0080.555] SetEndOfFile (hFile=0x1d0) returned 1 [0080.555] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0080.555] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0080.555] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.557] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0080.557] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.561] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0080.561] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.566] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0080.566] CloseHandle (hObject=0x1d0) returned 1 [0082.153] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0082.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.154] lstrlenW (lpString=".doc") returned 4 [0082.154] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString=".docx") returned 5 [0082.154] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.154] lstrlenW (lpString=".pdf") returned 4 [0082.154] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString=".xls") returned 4 [0082.154] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString=".xlsx") returned 5 [0082.154] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.154] lstrlenW (lpString=".ppt") returned 4 [0082.154] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.154] lstrlenW (lpString=".zip") returned 4 [0082.154] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString=".rar") returned 4 [0082.154] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString=".bz2") returned 4 [0082.154] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.154] lstrlenW (lpString=".7z") returned 3 [0082.154] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.154] lstrlenW (lpString=".dbf") returned 4 [0082.154] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.154] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.154] lstrlenW (lpString=".1cd") returned 4 [0082.155] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".jpg") returned 4 [0082.155] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".doc") returned 4 [0082.155] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString=".docx") returned 5 [0082.155] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.155] lstrlenW (lpString=".pdf") returned 4 [0082.155] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString=".xls") returned 4 [0082.155] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString=".xlsx") returned 5 [0082.155] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.155] lstrlenW (lpString=".ppt") returned 4 [0082.155] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".zip") returned 4 [0082.155] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString=".rar") returned 4 [0082.155] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString=".bz2") returned 4 [0082.155] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.155] lstrlenW (lpString=".7z") returned 3 [0082.155] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".dbf") returned 4 [0082.155] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".1cd") returned 4 [0082.155] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.155] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0082.155] lstrlenW (lpString=".jpg") returned 4 [0082.156] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.156] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0082.156] lstrlenW (lpString="OnoteLR.cab") returned 11 [0082.156] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0082.161] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=17456632) returned 1 [0082.161] CloseHandle (hObject=0x1d0) returned 1 [0082.161] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0082.161] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.161] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0082.161] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0082.162] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0082.162] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.162] ReadFile (in: hFile=0x1d0, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.569] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.569] ReadFile (in: hFile=0x1d0, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.591] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0082.591] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.591] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.634] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0082.634] WriteFile (in: hFile=0x1d0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0082.793] SetEndOfFile (hFile=0x1d0) returned 1 [0082.793] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0082.793] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0082.793] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.870] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0082.870] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.871] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0082.871] WriteFile (in: hFile=0x1d0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.874] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0082.874] CloseHandle (hObject=0x1d0) returned 1 [0082.874] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0082.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.875] lstrlenW (lpString=".doc") returned 4 [0082.875] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString=".docx") returned 5 [0082.875] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.875] lstrlenW (lpString=".pdf") returned 4 [0082.875] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString=".xls") returned 4 [0082.875] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString=".xlsx") returned 5 [0082.875] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.875] lstrlenW (lpString=".ppt") returned 4 [0082.875] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.875] lstrlenW (lpString=".zip") returned 4 [0082.875] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString=".rar") returned 4 [0082.875] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString=".bz2") returned 4 [0082.875] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.875] lstrlenW (lpString=".7z") returned 3 [0082.875] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.875] lstrlenW (lpString=".dbf") returned 4 [0082.875] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.875] lstrlenW (lpString=".1cd") returned 4 [0082.875] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.876] lstrlenW (lpString=".jpg") returned 4 [0082.876] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.876] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.876] lstrlenW (lpString=".doc") returned 4 [0082.876] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString=".docx") returned 5 [0082.876] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.876] lstrlenW (lpString=".pdf") returned 4 [0082.876] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString=".xls") returned 4 [0082.876] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString=".xlsx") returned 5 [0082.876] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.876] lstrlenW (lpString=".ppt") returned 4 [0082.876] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.876] lstrlenW (lpString=".zip") returned 4 [0082.876] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString=".rar") returned 4 [0082.876] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.876] lstrlenW (lpString=".bz2") returned 4 [0082.876] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.876] lstrlenW (lpString=".7z") returned 3 [0082.876] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.877] lstrlenW (lpString=".dbf") returned 4 [0082.877] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.877] lstrlenW (lpString=".1cd") returned 4 [0082.877] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.877] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0082.877] lstrlenW (lpString=".jpg") returned 4 [0082.877] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.877] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0082.877] lstrlenW (lpString="ProjLR.cab") returned 10 [0082.877] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0082.888] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=8265165) returned 1 [0082.889] CloseHandle (hObject=0x1d4) returned 1 [0082.889] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0082.889] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.889] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0082.890] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0082.890] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0082.890] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.890] ReadFile (in: hFile=0x1d4, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.941] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.941] ReadFile (in: hFile=0x1d4, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.964] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0082.964] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0082.964] ReadFile (in: hFile=0x1d4, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.832] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0083.832] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0084.014] SetEndOfFile (hFile=0x1d4) returned 1 [0084.014] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0084.018] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.018] WriteFile (in: hFile=0x1d4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.020] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.020] WriteFile (in: hFile=0x1d4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.022] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0084.023] WriteFile (in: hFile=0x1d4, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.025] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0084.027] CloseHandle (hObject=0x1d4) returned 1 [0084.027] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0084.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.028] lstrlenW (lpString=".doc") returned 4 [0084.028] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString=".docx") returned 5 [0084.028] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0084.028] lstrlenW (lpString=".pdf") returned 4 [0084.028] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString=".xls") returned 4 [0084.028] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString=".xlsx") returned 5 [0084.028] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0084.028] lstrlenW (lpString=".ppt") returned 4 [0084.028] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.028] lstrlenW (lpString=".zip") returned 4 [0084.028] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString=".rar") returned 4 [0084.028] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString=".bz2") returned 4 [0084.028] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0084.028] lstrlenW (lpString=".7z") returned 3 [0084.028] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0084.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.028] lstrlenW (lpString=".dbf") returned 4 [0084.028] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0084.028] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.028] lstrlenW (lpString=".1cd") returned 4 [0084.028] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0084.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.246] lstrlenW (lpString=".jpg") returned 4 [0084.246] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0084.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.246] lstrlenW (lpString=".doc") returned 4 [0084.246] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0084.257] lstrlenW (lpString=".docx") returned 5 [0084.257] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0084.257] lstrlenW (lpString=".pdf") returned 4 [0084.257] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0084.257] lstrlenW (lpString=".xls") returned 4 [0084.258] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0084.258] lstrlenW (lpString=".xlsx") returned 5 [0084.258] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0084.258] lstrlenW (lpString=".ppt") returned 4 [0084.258] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0084.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.259] lstrlenW (lpString=".zip") returned 4 [0084.259] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0084.259] lstrlenW (lpString=".rar") returned 4 [0084.259] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0084.259] lstrlenW (lpString=".bz2") returned 4 [0084.259] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0084.263] lstrlenW (lpString=".7z") returned 3 [0084.263] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0084.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.263] lstrlenW (lpString=".dbf") returned 4 [0084.263] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0084.263] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.264] lstrlenW (lpString=".1cd") returned 4 [0084.265] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0084.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0084.265] lstrlenW (lpString=".jpg") returned 4 [0084.265] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0084.274] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0084.274] lstrlenW (lpString="dwdcw20.dll") returned 11 [0084.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.557] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=526176) returned 1 [0085.558] CloseHandle (hObject=0x1d8) returned 1 [0085.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0085.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.558] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.558] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.559] GetLastError () returned 0x0 [0085.559] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x80760, lpOverlapped=0x0) returned 1 [0085.576] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0085.589] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.590] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0xea, lpOverlapped=0x0) returned 1 [0085.590] SetEndOfFile (hFile=0x1b0) returned 1 [0085.590] CloseHandle (hObject=0x1b0) returned 1 [0085.590] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.590] SetEndOfFile (hFile=0x1d8) returned 1 [0085.597] CloseHandle (hObject=0x1d8) returned 1 [0085.597] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0085.597] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0085.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.598] lstrlenW (lpString=".doc") returned 4 [0085.598] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString=".docx") returned 5 [0085.598] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0085.598] lstrlenW (lpString=".pdf") returned 4 [0085.598] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString=".xls") returned 4 [0085.598] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString=".xlsx") returned 5 [0085.598] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0085.598] lstrlenW (lpString=".ppt") returned 4 [0085.598] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.598] lstrlenW (lpString=".zip") returned 4 [0085.598] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString=".rar") returned 4 [0085.598] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0085.598] lstrlenW (lpString=".bz2") returned 4 [0085.598] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0085.598] lstrlenW (lpString=".7z") returned 3 [0085.598] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0085.598] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.598] lstrlenW (lpString=".dbf") returned 4 [0085.599] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0085.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.599] lstrlenW (lpString=".1cd") returned 4 [0085.599] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0085.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.599] lstrlenW (lpString=".jpg") returned 4 [0085.599] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.599] lstrlenW (lpString=".doc") returned 4 [0085.599] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString=".docx") returned 5 [0085.599] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0085.599] lstrlenW (lpString=".pdf") returned 4 [0085.599] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString=".xls") returned 4 [0085.599] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString=".xlsx") returned 5 [0085.599] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0085.599] lstrlenW (lpString=".ppt") returned 4 [0085.599] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.599] lstrlenW (lpString=".zip") returned 4 [0085.599] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0085.599] lstrlenW (lpString=".rar") returned 4 [0085.599] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0085.600] lstrlenW (lpString=".bz2") returned 4 [0085.600] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0085.600] lstrlenW (lpString=".7z") returned 3 [0085.600] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0085.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.600] lstrlenW (lpString=".dbf") returned 4 [0085.600] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0085.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.600] lstrlenW (lpString=".1cd") returned 4 [0085.600] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0085.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0085.600] lstrlenW (lpString=".jpg") returned 4 [0085.600] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0085.600] lstrcmpiW (lpString1=".manifest", lpString2=".mnbzr") returned -1 [0085.600] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0085.600] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.601] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=1857) returned 1 [0085.601] CloseHandle (hObject=0x1d8) returned 1 [0085.601] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0085.601] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0085.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0085.601] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.601] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0085.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0085.602] GetLastError () returned 0x0 [0085.602] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x741, lpOverlapped=0x0) returned 1 [0085.762] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0x750, lpOverlapped=0x0) returned 1 [0085.763] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x0, lpOverlapped=0x0) returned 1 [0085.763] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0x10a, lpOverlapped=0x0) returned 1 [0085.763] SetEndOfFile (hFile=0x1b0) returned 1 [0086.033] CloseHandle (hObject=0x1b0) returned 1 [0086.073] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.073] SetEndOfFile (hFile=0x1d8) returned 1 [0086.074] CloseHandle (hObject=0x1d8) returned 1 [0086.074] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.075] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0086.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.075] lstrlenW (lpString=".doc") returned 4 [0086.075] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0086.075] lstrlenW (lpString=".docx") returned 5 [0086.075] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0086.075] lstrlenW (lpString=".pdf") returned 4 [0086.075] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0086.075] lstrlenW (lpString=".xls") returned 4 [0086.075] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0086.075] lstrlenW (lpString=".xlsx") returned 5 [0086.075] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0086.075] lstrlenW (lpString=".ppt") returned 4 [0086.076] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString=".zip") returned 4 [0086.076] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString=".rar") returned 4 [0086.076] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString=".bz2") returned 4 [0086.076] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString=".7z") returned 3 [0086.076] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString=".dbf") returned 4 [0086.076] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString=".1cd") returned 4 [0086.076] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString=".jpg") returned 4 [0086.076] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.076] lstrlenW (lpString=".doc") returned 4 [0086.076] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0086.076] lstrlenW (lpString=".docx") returned 5 [0086.077] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0086.077] lstrlenW (lpString=".pdf") returned 4 [0086.077] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString=".xls") returned 4 [0086.077] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString=".xlsx") returned 5 [0086.077] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0086.077] lstrlenW (lpString=".ppt") returned 4 [0086.077] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.077] lstrlenW (lpString=".zip") returned 4 [0086.077] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString=".rar") returned 4 [0086.077] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString=".bz2") returned 4 [0086.077] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString=".7z") returned 3 [0086.077] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0086.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.077] lstrlenW (lpString=".dbf") returned 4 [0086.077] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.077] lstrlenW (lpString=".1cd") returned 4 [0086.077] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0086.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0086.078] lstrlenW (lpString=".jpg") returned 4 [0086.078] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0086.078] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0086.078] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0086.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0086.078] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=3702272) returned 1 [0086.078] CloseHandle (hObject=0x1d8) returned 1 [0086.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0086.079] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.079] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0086.079] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0086.080] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0086.080] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.080] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.084] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.085] ReadFile (in: hFile=0x1d8, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.097] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0086.097] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.097] ReadFile (in: hFile=0x1d8, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.118] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.118] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0086.406] SetEndOfFile (hFile=0x1d8) returned 1 [0086.406] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0086.413] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0086.414] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.635] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0086.636] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.655] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0086.655] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.658] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0086.774] CloseHandle (hObject=0x1d8) returned 1 [0086.774] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.774] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.774] lstrlenW (lpString=".doc") returned 4 [0086.774] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0086.774] lstrlenW (lpString=".docx") returned 5 [0086.775] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0086.775] lstrlenW (lpString=".pdf") returned 4 [0086.775] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0086.775] lstrlenW (lpString=".xls") returned 4 [0086.775] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0086.775] lstrlenW (lpString=".xlsx") returned 5 [0086.775] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0086.775] lstrlenW (lpString=".ppt") returned 4 [0086.775] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0086.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.775] lstrlenW (lpString=".zip") returned 4 [0086.775] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0086.775] lstrlenW (lpString=".rar") returned 4 [0086.775] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0086.775] lstrlenW (lpString=".bz2") returned 4 [0086.775] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0086.775] lstrlenW (lpString=".7z") returned 3 [0086.775] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0086.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.775] lstrlenW (lpString=".dbf") returned 4 [0086.775] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0086.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.775] lstrlenW (lpString=".1cd") returned 4 [0086.775] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0086.775] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.775] lstrlenW (lpString=".jpg") returned 4 [0086.775] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0086.776] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.776] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.776] lstrlenW (lpString=".doc") returned 4 [0086.776] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0086.776] lstrlenW (lpString=".docx") returned 5 [0086.776] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0086.776] lstrlenW (lpString=".pdf") returned 4 [0086.776] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0086.776] lstrlenW (lpString=".xls") returned 4 [0086.776] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0086.776] lstrlenW (lpString=".xlsx") returned 5 [0086.776] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0086.776] lstrlenW (lpString=".ppt") returned 4 [0086.776] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0086.776] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.776] lstrlenW (lpString=".zip") returned 4 [0086.776] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0086.776] lstrlenW (lpString=".rar") returned 4 [0086.776] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0086.776] lstrlenW (lpString=".bz2") returned 4 [0086.776] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0086.776] lstrlenW (lpString=".7z") returned 3 [0086.776] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0086.776] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.776] lstrlenW (lpString=".dbf") returned 4 [0086.776] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0086.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.777] lstrlenW (lpString=".1cd") returned 4 [0086.777] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0086.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0086.777] lstrlenW (lpString=".jpg") returned 4 [0086.777] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0086.777] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0086.777] lstrlenW (lpString="AccLR.cab") returned 9 [0086.777] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0086.778] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=28016276) returned 1 [0086.778] CloseHandle (hObject=0x1d8) returned 1 [0086.778] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0086.778] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.778] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0086.779] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0086.779] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0086.779] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.779] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.831] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.831] ReadFile (in: hFile=0x1d8, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.846] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0086.846] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0086.846] ReadFile (in: hFile=0x1d8, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.865] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0086.866] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0087.154] SetEndOfFile (hFile=0x1d8) returned 1 [0087.155] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0087.164] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0087.164] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.165] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0087.165] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.169] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0087.169] WriteFile (in: hFile=0x1d8, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.172] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0087.172] CloseHandle (hObject=0x1d8) returned 1 [0087.172] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0087.241] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.241] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.241] lstrlenW (lpString=".doc") returned 4 [0087.241] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0087.241] lstrlenW (lpString=".docx") returned 5 [0087.241] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0087.241] lstrlenW (lpString=".pdf") returned 4 [0087.241] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0087.241] lstrlenW (lpString=".xls") returned 4 [0087.241] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0087.241] lstrlenW (lpString=".xlsx") returned 5 [0087.242] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0087.242] lstrlenW (lpString=".ppt") returned 4 [0087.242] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString=".zip") returned 4 [0087.242] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString=".rar") returned 4 [0087.242] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString=".bz2") returned 4 [0087.242] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0087.242] lstrlenW (lpString=".7z") returned 3 [0087.242] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString=".dbf") returned 4 [0087.242] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString=".1cd") returned 4 [0087.242] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString=".jpg") returned 4 [0087.242] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.242] lstrlenW (lpString=".doc") returned 4 [0087.242] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString=".docx") returned 5 [0087.242] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0087.242] lstrlenW (lpString=".pdf") returned 4 [0087.242] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString=".xls") returned 4 [0087.242] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0087.242] lstrlenW (lpString=".xlsx") returned 5 [0087.242] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0087.242] lstrlenW (lpString=".ppt") returned 4 [0087.243] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0087.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.243] lstrlenW (lpString=".zip") returned 4 [0087.243] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0087.243] lstrlenW (lpString=".rar") returned 4 [0087.243] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0087.243] lstrlenW (lpString=".bz2") returned 4 [0087.243] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0087.243] lstrlenW (lpString=".7z") returned 3 [0087.243] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0087.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.243] lstrlenW (lpString=".dbf") returned 4 [0087.243] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0087.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.243] lstrlenW (lpString=".1cd") returned 4 [0087.243] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0087.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0087.243] lstrlenW (lpString=".jpg") returned 4 [0087.243] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0087.243] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0087.243] lstrlenW (lpString="Office32WW.msi") returned 14 [0087.243] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0087.657] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=1992192) returned 1 [0087.657] CloseHandle (hObject=0x200) returned 1 [0087.658] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0087.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0087.670] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0088.220] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0088.226] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0088.226] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0088.226] ReadFile (in: hFile=0x1cc, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.172] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0089.172] ReadFile (in: hFile=0x1cc, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.584] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0089.584] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0089.584] ReadFile (in: hFile=0x1cc, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0089.819] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0089.819] WriteFile (in: hFile=0x1cc, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0089.845] SetEndOfFile (hFile=0x1cc) returned 1 [0089.845] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0090.343] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.343] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.345] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.345] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.347] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0090.347] WriteFile (in: hFile=0x1cc, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0090.349] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0090.349] CloseHandle (hObject=0x1cc) returned 1 [0092.469] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0092.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.579] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.579] lstrlenW (lpString=".doc") returned 4 [0092.579] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0092.579] lstrlenW (lpString=".docx") returned 5 [0092.580] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0092.580] lstrlenW (lpString=".pdf") returned 4 [0092.580] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0092.580] lstrlenW (lpString=".xls") returned 4 [0092.580] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0092.580] lstrlenW (lpString=".xlsx") returned 5 [0092.580] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0092.580] lstrlenW (lpString=".ppt") returned 4 [0092.580] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0092.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.580] lstrlenW (lpString=".zip") returned 4 [0092.580] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0092.580] lstrlenW (lpString=".rar") returned 4 [0092.580] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0092.580] lstrlenW (lpString=".bz2") returned 4 [0092.580] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0092.580] lstrlenW (lpString=".7z") returned 3 [0092.580] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0092.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.580] lstrlenW (lpString=".dbf") returned 4 [0092.580] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0092.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.580] lstrlenW (lpString=".1cd") returned 4 [0092.580] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0092.580] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.580] lstrlenW (lpString=".jpg") returned 4 [0092.581] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0092.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.581] lstrlenW (lpString=".doc") returned 4 [0092.581] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0092.581] lstrlenW (lpString=".docx") returned 5 [0092.581] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0092.581] lstrlenW (lpString=".pdf") returned 4 [0092.581] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0092.581] lstrlenW (lpString=".xls") returned 4 [0092.581] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0092.581] lstrlenW (lpString=".xlsx") returned 5 [0092.581] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0092.581] lstrlenW (lpString=".ppt") returned 4 [0092.581] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0092.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.581] lstrlenW (lpString=".zip") returned 4 [0092.581] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0092.581] lstrlenW (lpString=".rar") returned 4 [0092.581] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0092.581] lstrlenW (lpString=".bz2") returned 4 [0092.581] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0092.581] lstrlenW (lpString=".7z") returned 3 [0092.581] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0092.581] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.581] lstrlenW (lpString=".dbf") returned 4 [0092.582] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0092.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.582] lstrlenW (lpString=".1cd") returned 4 [0092.582] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0092.582] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0092.582] lstrlenW (lpString=".jpg") returned 4 [0092.582] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0092.582] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0092.582] lstrlenW (lpString="Office32WW.msi") returned 14 [0092.582] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0092.583] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=1992192) returned 1 [0092.583] CloseHandle (hObject=0x204) returned 1 [0092.583] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0092.583] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.584] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0092.584] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0092.584] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0092.585] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.585] ReadFile (in: hFile=0x204, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d80058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.611] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.611] ReadFile (in: hFile=0x204, lpBuffer=0x3dc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dc0058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.618] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0092.619] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0092.619] ReadFile (in: hFile=0x204, lpBuffer=0x3e00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e00058*, lpNumberOfBytesRead=0x379fc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.646] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0092.646] WriteFile (in: hFile=0x204, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x379fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0092.964] SetEndOfFile (hFile=0x204) returned 1 [0092.964] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0093.125] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0093.125] WriteFile (in: hFile=0x204, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0093.127] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0093.127] WriteFile (in: hFile=0x204, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0093.130] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x379fc7c | out: lpNewFilePointer=0x0) returned 1 [0093.130] WriteFile (in: hFile=0x204, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x379fc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x379fc88*=0x40000, lpOverlapped=0x0) returned 1 [0093.132] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0093.132] CloseHandle (hObject=0x204) returned 1 [0093.133] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0093.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.133] lstrlenW (lpString=".doc") returned 4 [0093.133] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0093.133] lstrlenW (lpString=".docx") returned 5 [0093.133] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0093.133] lstrlenW (lpString=".pdf") returned 4 [0093.133] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0093.133] lstrlenW (lpString=".xls") returned 4 [0093.133] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0093.133] lstrlenW (lpString=".xlsx") returned 5 [0093.133] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0093.133] lstrlenW (lpString=".ppt") returned 4 [0093.133] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0093.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.133] lstrlenW (lpString=".zip") returned 4 [0093.133] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0093.134] lstrlenW (lpString=".rar") returned 4 [0093.134] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0093.134] lstrlenW (lpString=".bz2") returned 4 [0093.134] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0093.134] lstrlenW (lpString=".7z") returned 3 [0093.134] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0093.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.134] lstrlenW (lpString=".dbf") returned 4 [0093.134] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0093.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.134] lstrlenW (lpString=".1cd") returned 4 [0093.134] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0093.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.134] lstrlenW (lpString=".jpg") returned 4 [0093.134] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0093.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.134] lstrlenW (lpString=".doc") returned 4 [0093.134] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0093.134] lstrlenW (lpString=".docx") returned 5 [0093.134] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0093.134] lstrlenW (lpString=".pdf") returned 4 [0093.134] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0093.134] lstrlenW (lpString=".xls") returned 4 [0093.134] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0093.134] lstrlenW (lpString=".xlsx") returned 5 [0093.134] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0093.135] lstrlenW (lpString=".ppt") returned 4 [0093.135] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0093.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.135] lstrlenW (lpString=".zip") returned 4 [0093.135] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0093.135] lstrlenW (lpString=".rar") returned 4 [0093.135] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0093.135] lstrlenW (lpString=".bz2") returned 4 [0093.135] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0093.135] lstrlenW (lpString=".7z") returned 3 [0093.135] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0093.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.135] lstrlenW (lpString=".dbf") returned 4 [0093.135] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0093.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.135] lstrlenW (lpString=".1cd") returned 4 [0093.135] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0093.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0093.135] lstrlenW (lpString=".jpg") returned 4 [0093.135] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0093.135] lstrcmpiW (lpString1=".exe", lpString2=".mnbzr") returned -1 [0093.135] lstrlenW (lpString="ose.exe") returned 7 [0093.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0093.136] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=174440) returned 1 [0093.136] CloseHandle (hObject=0x204) returned 1 [0093.136] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0093.136] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.136] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0093.136] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.137] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.137] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0093.137] GetLastError () returned 0x0 [0093.137] ReadFile (in: hFile=0x204, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0093.154] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0093.159] ReadFile (in: hFile=0x204, lpBuffer=0x3d80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x379fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesRead=0x379fed4*=0x0, lpOverlapped=0x0) returned 1 [0093.159] WriteFile (in: hFile=0x1f4, lpBuffer=0x3d80020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x379fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d80020*, lpNumberOfBytesWritten=0x379fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0093.159] SetEndOfFile (hFile=0x1f4) returned 1 [0093.159] CloseHandle (hObject=0x1f4) returned 1 [0093.159] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fec8 | out: lpNewFilePointer=0x0) returned 1 [0093.159] SetEndOfFile (hFile=0x204) returned 1 [0093.162] CloseHandle (hObject=0x204) returned 1 [0093.162] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0093.162] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0093.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.162] lstrlenW (lpString=".doc") returned 4 [0093.162] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0093.162] lstrlenW (lpString=".docx") returned 5 [0093.162] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0093.162] lstrlenW (lpString=".pdf") returned 4 [0093.162] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0093.162] lstrlenW (lpString=".xls") returned 4 [0093.163] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0093.163] lstrlenW (lpString=".xlsx") returned 5 [0093.163] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0093.163] lstrlenW (lpString=".ppt") returned 4 [0093.163] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString=".zip") returned 4 [0093.163] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0093.163] lstrlenW (lpString=".rar") returned 4 [0093.163] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0093.163] lstrlenW (lpString=".bz2") returned 4 [0093.163] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0093.163] lstrlenW (lpString=".7z") returned 3 [0093.163] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString=".dbf") returned 4 [0093.163] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString=".1cd") returned 4 [0093.163] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString=".jpg") returned 4 [0093.163] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.163] lstrlenW (lpString=".doc") returned 4 [0093.163] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0093.163] lstrlenW (lpString=".docx") returned 5 [0093.164] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0093.164] lstrlenW (lpString=".pdf") returned 4 [0093.164] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0093.164] lstrlenW (lpString=".xls") returned 4 [0093.164] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0093.164] lstrlenW (lpString=".xlsx") returned 5 [0093.164] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0093.164] lstrlenW (lpString=".ppt") returned 4 [0093.164] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0093.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.164] lstrlenW (lpString=".zip") returned 4 [0093.164] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0093.164] lstrlenW (lpString=".rar") returned 4 [0093.164] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0093.164] lstrlenW (lpString=".bz2") returned 4 [0093.164] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0093.164] lstrlenW (lpString=".7z") returned 3 [0093.164] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0093.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.164] lstrlenW (lpString=".dbf") returned 4 [0093.164] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0093.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.164] lstrlenW (lpString=".1cd") returned 4 [0093.164] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0093.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0093.164] lstrlenW (lpString=".jpg") returned 4 [0093.164] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0093.165] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0093.165] lstrlenW (lpString="osetup.dll") returned 10 [0093.165] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0093.165] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x379ff1c | out: lpFileSize=0x379ff1c*=7378792) returned 1 [0093.165] CloseHandle (hObject=0x204) returned 1 [0093.165] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0093.165] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0093.166] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0093.166] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0093.166] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc6c | out: lpNewFilePointer=0x0) returned 1 [0093.166] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x379fc2c | out: lpNewFilePointer=0x0) returned 1 [0093.166] ReadFile (hFile=0x204, lpBuffer=0x3d80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x379fc38, lpOverlapped=0x0) Thread: id = 18 os_tid = 0x20c [0067.403] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x3282a08 [0067.403] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10000) returned 0x3292a10 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298dc0 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x6) returned 0x2e1080 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298dd8 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x100000) returned 0x3e90020 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298df0 [0067.404] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298df0, Size=0x20) returned 0x2df6a0 [0067.404] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x10) returned 0x298df0 [0067.404] RtlReAllocateHeap (Heap=0x240000, Flags=0x0, Ptr=0x298df0, Size=0x20) returned 0x2df678 [0067.404] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0067.404] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0067.405] Wow64DisableWow64FsRedirection (in: OldValue=0x38dff58 | out: OldValue=0x38dff58*=0x0) returned 1 [0067.405] lstrlenW (lpString="kernel32.dll") returned 12 [0067.405] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df6a0 | out: hHeap=0x240000) returned 1 [0067.405] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0067.405] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2df678 | out: hHeap=0x240000) returned 1 [0067.405] Sleep (dwMilliseconds=0x64) [0067.555] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.555] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.555] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.569] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=89168) returned 1 [0067.569] CloseHandle (hObject=0x1b8) returned 1 [0067.569] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0067.569] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.569] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString=".doc") returned 4 [0067.570] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.570] lstrlenW (lpString=".docx") returned 5 [0067.570] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.570] lstrlenW (lpString=".pdf") returned 4 [0067.570] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.570] lstrlenW (lpString=".xls") returned 4 [0067.570] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.570] lstrlenW (lpString=".xlsx") returned 5 [0067.570] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.570] lstrlenW (lpString=".ppt") returned 4 [0067.570] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString=".zip") returned 4 [0067.570] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.570] lstrlenW (lpString=".rar") returned 4 [0067.570] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.570] lstrlenW (lpString=".bz2") returned 4 [0067.570] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.570] lstrlenW (lpString=".7z") returned 3 [0067.570] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString=".dbf") returned 4 [0067.570] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString=".1cd") returned 4 [0067.570] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.570] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.570] lstrlenW (lpString=".jpg") returned 4 [0067.571] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString=".doc") returned 4 [0067.571] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.571] lstrlenW (lpString=".docx") returned 5 [0067.571] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.571] lstrlenW (lpString=".pdf") returned 4 [0067.571] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.571] lstrlenW (lpString=".xls") returned 4 [0067.571] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.571] lstrlenW (lpString=".xlsx") returned 5 [0067.571] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.571] lstrlenW (lpString=".ppt") returned 4 [0067.571] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString=".zip") returned 4 [0067.571] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.571] lstrlenW (lpString=".rar") returned 4 [0067.571] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.571] lstrlenW (lpString=".bz2") returned 4 [0067.571] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.571] lstrlenW (lpString=".7z") returned 3 [0067.571] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString=".dbf") returned 4 [0067.571] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString=".1cd") returned 4 [0067.571] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.571] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0067.571] lstrlenW (lpString=".jpg") returned 4 [0067.572] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.572] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.572] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.572] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.572] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=87616) returned 1 [0067.572] CloseHandle (hObject=0x1b8) returned 1 [0067.572] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0067.572] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.572] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.572] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.572] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.572] lstrlenW (lpString=".doc") returned 4 [0067.572] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.573] lstrlenW (lpString=".docx") returned 5 [0067.573] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.573] lstrlenW (lpString=".pdf") returned 4 [0067.573] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.573] lstrlenW (lpString=".xls") returned 4 [0067.573] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.573] lstrlenW (lpString=".xlsx") returned 5 [0067.573] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.573] lstrlenW (lpString=".ppt") returned 4 [0067.573] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString=".zip") returned 4 [0067.573] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.573] lstrlenW (lpString=".rar") returned 4 [0067.573] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.573] lstrlenW (lpString=".bz2") returned 4 [0067.573] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.573] lstrlenW (lpString=".7z") returned 3 [0067.573] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString=".dbf") returned 4 [0067.573] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString=".1cd") returned 4 [0067.573] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString=".jpg") returned 4 [0067.573] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.573] lstrlenW (lpString=".doc") returned 4 [0067.573] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.574] lstrlenW (lpString=".docx") returned 5 [0067.574] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.574] lstrlenW (lpString=".pdf") returned 4 [0067.574] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.574] lstrlenW (lpString=".xls") returned 4 [0067.574] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.574] lstrlenW (lpString=".xlsx") returned 5 [0067.574] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.574] lstrlenW (lpString=".ppt") returned 4 [0067.574] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.574] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.574] lstrlenW (lpString=".zip") returned 4 [0067.574] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.574] lstrlenW (lpString=".rar") returned 4 [0067.574] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.574] lstrlenW (lpString=".bz2") returned 4 [0067.574] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.574] lstrlenW (lpString=".7z") returned 3 [0067.574] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.574] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.574] lstrlenW (lpString=".dbf") returned 4 [0067.574] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.574] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.574] lstrlenW (lpString=".1cd") returned 4 [0067.574] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.574] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0067.574] lstrlenW (lpString=".jpg") returned 4 [0067.574] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.574] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.574] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.575] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0067.575] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=91712) returned 1 [0067.575] CloseHandle (hObject=0x1b8) returned 1 [0067.575] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0067.575] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.575] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.575] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.575] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.575] lstrlenW (lpString=".doc") returned 4 [0067.575] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.575] lstrlenW (lpString=".docx") returned 5 [0067.575] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.575] lstrlenW (lpString=".pdf") returned 4 [0067.575] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.575] lstrlenW (lpString=".xls") returned 4 [0067.575] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.575] lstrlenW (lpString=".xlsx") returned 5 [0067.575] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.575] lstrlenW (lpString=".ppt") returned 4 [0067.575] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.575] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.575] lstrlenW (lpString=".zip") returned 4 [0067.576] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.576] lstrlenW (lpString=".rar") returned 4 [0067.576] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.576] lstrlenW (lpString=".bz2") returned 4 [0067.576] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.576] lstrlenW (lpString=".7z") returned 3 [0067.576] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString=".dbf") returned 4 [0067.576] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString=".1cd") returned 4 [0067.576] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString=".jpg") returned 4 [0067.576] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString=".doc") returned 4 [0067.576] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.576] lstrlenW (lpString=".docx") returned 5 [0067.576] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.576] lstrlenW (lpString=".pdf") returned 4 [0067.576] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.576] lstrlenW (lpString=".xls") returned 4 [0067.576] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.576] lstrlenW (lpString=".xlsx") returned 5 [0067.576] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.576] lstrlenW (lpString=".ppt") returned 4 [0067.576] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.576] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.576] lstrlenW (lpString=".zip") returned 4 [0067.577] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.577] lstrlenW (lpString=".rar") returned 4 [0067.577] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.577] lstrlenW (lpString=".bz2") returned 4 [0067.577] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.577] lstrlenW (lpString=".7z") returned 3 [0067.577] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.577] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.577] lstrlenW (lpString=".dbf") returned 4 [0067.577] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.577] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.577] lstrlenW (lpString=".1cd") returned 4 [0067.577] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.577] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0067.577] lstrlenW (lpString=".jpg") returned 4 [0067.577] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.585] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.585] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.585] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.585] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=94800) returned 1 [0067.585] CloseHandle (hObject=0x1ac) returned 1 [0067.585] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0067.585] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.585] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.585] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.585] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.585] lstrlenW (lpString=".doc") returned 4 [0067.585] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.585] lstrlenW (lpString=".docx") returned 5 [0067.585] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.585] lstrlenW (lpString=".pdf") returned 4 [0067.585] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.586] lstrlenW (lpString=".xls") returned 4 [0067.586] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.586] lstrlenW (lpString=".xlsx") returned 5 [0067.586] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.586] lstrlenW (lpString=".ppt") returned 4 [0067.586] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.586] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.586] lstrlenW (lpString=".zip") returned 4 [0067.586] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.586] lstrlenW (lpString=".rar") returned 4 [0067.586] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.586] lstrlenW (lpString=".bz2") returned 4 [0067.586] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.586] lstrlenW (lpString=".7z") returned 3 [0067.586] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.586] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.586] lstrlenW (lpString=".dbf") returned 4 [0067.586] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.586] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.586] lstrlenW (lpString=".1cd") returned 4 [0067.586] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.586] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.586] lstrlenW (lpString=".jpg") returned 4 [0067.586] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString=".doc") returned 4 [0067.587] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.587] lstrlenW (lpString=".docx") returned 5 [0067.587] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.587] lstrlenW (lpString=".pdf") returned 4 [0067.587] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.587] lstrlenW (lpString=".xls") returned 4 [0067.587] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.587] lstrlenW (lpString=".xlsx") returned 5 [0067.587] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.587] lstrlenW (lpString=".ppt") returned 4 [0067.587] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString=".zip") returned 4 [0067.587] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.587] lstrlenW (lpString=".rar") returned 4 [0067.587] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.587] lstrlenW (lpString=".bz2") returned 4 [0067.587] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.587] lstrlenW (lpString=".7z") returned 3 [0067.587] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString=".dbf") returned 4 [0067.587] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString=".1cd") returned 4 [0067.587] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.587] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0067.587] lstrlenW (lpString=".jpg") returned 4 [0067.587] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.588] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.588] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.588] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.588] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=85056) returned 1 [0067.588] CloseHandle (hObject=0x1ac) returned 1 [0067.588] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0067.588] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.588] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.588] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.588] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.588] lstrlenW (lpString=".doc") returned 4 [0067.588] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.588] lstrlenW (lpString=".docx") returned 5 [0067.588] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.588] lstrlenW (lpString=".pdf") returned 4 [0067.588] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.588] lstrlenW (lpString=".xls") returned 4 [0067.588] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.589] lstrlenW (lpString=".xlsx") returned 5 [0067.589] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.589] lstrlenW (lpString=".ppt") returned 4 [0067.589] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString=".zip") returned 4 [0067.589] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.589] lstrlenW (lpString=".rar") returned 4 [0067.589] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.589] lstrlenW (lpString=".bz2") returned 4 [0067.589] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.589] lstrlenW (lpString=".7z") returned 3 [0067.589] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString=".dbf") returned 4 [0067.589] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString=".1cd") returned 4 [0067.589] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString=".jpg") returned 4 [0067.589] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.589] lstrlenW (lpString=".doc") returned 4 [0067.589] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.589] lstrlenW (lpString=".docx") returned 5 [0067.590] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.590] lstrlenW (lpString=".pdf") returned 4 [0067.590] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.590] lstrlenW (lpString=".xls") returned 4 [0067.590] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.590] lstrlenW (lpString=".xlsx") returned 5 [0067.590] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.590] lstrlenW (lpString=".ppt") returned 4 [0067.590] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.590] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.590] lstrlenW (lpString=".zip") returned 4 [0067.590] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.590] lstrlenW (lpString=".rar") returned 4 [0067.590] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.590] lstrlenW (lpString=".bz2") returned 4 [0067.590] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.590] lstrlenW (lpString=".7z") returned 3 [0067.590] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.590] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.590] lstrlenW (lpString=".dbf") returned 4 [0067.590] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.590] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.590] lstrlenW (lpString=".1cd") returned 4 [0067.590] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.590] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0067.590] lstrlenW (lpString=".jpg") returned 4 [0067.590] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.591] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.591] lstrlenW (lpString="memtest.exe.mui") returned 15 [0067.591] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.591] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=43600) returned 1 [0067.591] CloseHandle (hObject=0x1ac) returned 1 [0067.591] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0067.591] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.592] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.592] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.592] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.592] lstrlenW (lpString=".doc") returned 4 [0067.592] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.592] lstrlenW (lpString=".docx") returned 5 [0067.592] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.592] lstrlenW (lpString=".pdf") returned 4 [0067.592] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.592] lstrlenW (lpString=".xls") returned 4 [0067.592] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.592] lstrlenW (lpString=".xlsx") returned 5 [0067.592] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.592] lstrlenW (lpString=".ppt") returned 4 [0067.592] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.592] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.592] lstrlenW (lpString=".zip") returned 4 [0067.592] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.592] lstrlenW (lpString=".rar") returned 4 [0067.592] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.592] lstrlenW (lpString=".bz2") returned 4 [0067.592] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.592] lstrlenW (lpString=".7z") returned 3 [0067.592] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString=".dbf") returned 4 [0067.593] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString=".1cd") returned 4 [0067.593] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString=".jpg") returned 4 [0067.593] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString=".doc") returned 4 [0067.593] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.593] lstrlenW (lpString=".docx") returned 5 [0067.593] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.593] lstrlenW (lpString=".pdf") returned 4 [0067.593] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.593] lstrlenW (lpString=".xls") returned 4 [0067.593] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.593] lstrlenW (lpString=".xlsx") returned 5 [0067.593] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.593] lstrlenW (lpString=".ppt") returned 4 [0067.593] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.593] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.593] lstrlenW (lpString=".zip") returned 4 [0067.593] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.594] lstrlenW (lpString=".rar") returned 4 [0067.594] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.594] lstrlenW (lpString=".bz2") returned 4 [0067.594] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.594] lstrlenW (lpString=".7z") returned 3 [0067.594] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.594] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.594] lstrlenW (lpString=".dbf") returned 4 [0067.594] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0067.594] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.594] lstrlenW (lpString=".1cd") returned 4 [0067.594] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0067.594] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0067.594] lstrlenW (lpString=".jpg") returned 4 [0067.594] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0067.594] lstrcmpiW (lpString1=".mui", lpString2=".mnbzr") returned 1 [0067.594] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0067.594] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0067.595] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=90192) returned 1 [0067.595] CloseHandle (hObject=0x1ac) returned 1 [0067.595] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0067.595] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.595] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0067.595] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0067.595] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0067.595] lstrlenW (lpString=".doc") returned 4 [0067.595] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0067.595] lstrlenW (lpString=".docx") returned 5 [0067.595] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0067.595] lstrlenW (lpString=".pdf") returned 4 [0067.595] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0067.596] lstrlenW (lpString=".xls") returned 4 [0067.596] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0067.596] lstrlenW (lpString=".xlsx") returned 5 [0067.596] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0067.596] lstrlenW (lpString=".ppt") returned 4 [0067.596] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0067.596] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0067.596] lstrlenW (lpString=".zip") returned 4 [0067.596] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0067.596] lstrlenW (lpString=".rar") returned 4 [0067.596] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0067.596] lstrlenW (lpString=".bz2") returned 4 [0067.596] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0067.596] lstrlenW (lpString=".7z") returned 3 [0067.596] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0067.597] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0067.868] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0067.869] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0 [0067.873] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=16972987) returned 1 [0067.873] CloseHandle (hObject=0x1cc) returned 1 [0067.873] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab")) returned 0x2020 [0067.873] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0067.874] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0067.874] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0067.875] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0067.875] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0067.875] ReadFile (in: hFile=0x1cc, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0067.993] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0067.993] ReadFile (in: hFile=0x1cc, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.295] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0069.295] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0069.295] ReadFile (in: hFile=0x1cc, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0069.470] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0069.470] WriteFile (in: hFile=0x1cc, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0069.486] SetEndOfFile (hFile=0x1cc) returned 1 [0069.486] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40497b8 [0069.612] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.612] WriteFile (in: hFile=0x1cc, lpBuffer=0x40497b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40497b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.613] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.613] WriteFile (in: hFile=0x1cc, lpBuffer=0x40497b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40497b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.622] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0069.623] WriteFile (in: hFile=0x1cc, lpBuffer=0x40497b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40497b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0069.625] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40497b8 | out: hHeap=0x240000) returned 1 [0069.630] CloseHandle (hObject=0x1cc) returned 1 [0073.224] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0073.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.965] lstrlenW (lpString=".doc") returned 4 [0073.965] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0073.965] lstrlenW (lpString=".docx") returned 5 [0073.965] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0073.965] lstrlenW (lpString=".pdf") returned 4 [0073.965] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0073.965] lstrlenW (lpString=".xls") returned 4 [0073.965] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0073.965] lstrlenW (lpString=".xlsx") returned 5 [0073.965] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0073.965] lstrlenW (lpString=".ppt") returned 4 [0073.965] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0073.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.965] lstrlenW (lpString=".zip") returned 4 [0073.966] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString=".rar") returned 4 [0073.966] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString=".bz2") returned 4 [0073.966] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0073.966] lstrlenW (lpString=".7z") returned 3 [0073.966] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0073.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.966] lstrlenW (lpString=".dbf") returned 4 [0073.966] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.966] lstrlenW (lpString=".1cd") returned 4 [0073.966] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0073.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.966] lstrlenW (lpString=".jpg") returned 4 [0073.966] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.966] lstrlenW (lpString=".doc") returned 4 [0073.966] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString=".docx") returned 5 [0073.966] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0073.966] lstrlenW (lpString=".pdf") returned 4 [0073.966] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0073.966] lstrlenW (lpString=".xls") returned 4 [0073.967] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0073.967] lstrlenW (lpString=".xlsx") returned 5 [0073.967] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0073.967] lstrlenW (lpString=".ppt") returned 4 [0073.967] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0073.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.967] lstrlenW (lpString=".zip") returned 4 [0073.967] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0073.967] lstrlenW (lpString=".rar") returned 4 [0073.967] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0073.967] lstrlenW (lpString=".bz2") returned 4 [0073.967] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0073.967] lstrlenW (lpString=".7z") returned 3 [0073.967] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0073.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.967] lstrlenW (lpString=".dbf") returned 4 [0073.967] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0073.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.967] lstrlenW (lpString=".1cd") returned 4 [0073.967] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0073.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0073.967] lstrlenW (lpString=".jpg") returned 4 [0073.968] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0073.968] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0073.968] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0073.968] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0073.968] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=2865664) returned 1 [0073.968] CloseHandle (hObject=0x1e4) returned 1 [0073.968] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0073.968] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0073.969] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0074.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0074.068] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0074.068] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0074.068] ReadFile (in: hFile=0x1ec, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.159] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0074.159] ReadFile (in: hFile=0x1ec, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.203] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0074.203] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0074.203] ReadFile (in: hFile=0x1ec, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0074.550] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0074.550] WriteFile (in: hFile=0x1ec, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0074.570] SetEndOfFile (hFile=0x1ec) returned 1 [0074.570] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0074.570] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0074.570] WriteFile (in: hFile=0x1ec, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.572] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0074.572] WriteFile (in: hFile=0x1ec, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.720] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0074.720] WriteFile (in: hFile=0x1ec, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0074.722] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0074.722] CloseHandle (hObject=0x1ec) returned 1 [0075.692] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0075.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.694] lstrlenW (lpString=".doc") returned 4 [0075.694] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0075.694] lstrlenW (lpString=".docx") returned 5 [0075.694] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0075.694] lstrlenW (lpString=".pdf") returned 4 [0075.694] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0075.694] lstrlenW (lpString=".xls") returned 4 [0075.694] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0075.694] lstrlenW (lpString=".xlsx") returned 5 [0075.694] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0075.694] lstrlenW (lpString=".ppt") returned 4 [0075.694] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0075.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.694] lstrlenW (lpString=".zip") returned 4 [0075.694] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0075.694] lstrlenW (lpString=".rar") returned 4 [0075.694] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0075.694] lstrlenW (lpString=".bz2") returned 4 [0075.695] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0075.695] lstrlenW (lpString=".7z") returned 3 [0075.695] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0075.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.695] lstrlenW (lpString=".dbf") returned 4 [0075.695] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0075.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.695] lstrlenW (lpString=".1cd") returned 4 [0075.695] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0075.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.695] lstrlenW (lpString=".jpg") returned 4 [0075.695] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0075.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.695] lstrlenW (lpString=".doc") returned 4 [0075.695] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0075.696] lstrlenW (lpString=".docx") returned 5 [0075.696] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0075.696] lstrlenW (lpString=".pdf") returned 4 [0075.696] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0075.696] lstrlenW (lpString=".xls") returned 4 [0075.696] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0075.696] lstrlenW (lpString=".xlsx") returned 5 [0075.696] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0075.696] lstrlenW (lpString=".ppt") returned 4 [0075.696] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0075.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.696] lstrlenW (lpString=".zip") returned 4 [0075.696] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0075.696] lstrlenW (lpString=".rar") returned 4 [0075.696] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0075.696] lstrlenW (lpString=".bz2") returned 4 [0075.696] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0075.696] lstrlenW (lpString=".7z") returned 3 [0075.696] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0075.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.697] lstrlenW (lpString=".dbf") returned 4 [0075.697] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0075.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.697] lstrlenW (lpString=".1cd") returned 4 [0075.697] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0075.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0075.697] lstrlenW (lpString=".jpg") returned 4 [0075.697] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0075.697] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0075.697] lstrlenW (lpString="Proof.msi") returned 9 [0075.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0075.698] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=875520) returned 1 [0075.698] CloseHandle (hObject=0x1ec) returned 1 [0075.698] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0075.698] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0075.934] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0075.934] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.934] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0075.934] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0075.935] GetLastError () returned 0x0 [0075.935] ReadFile (in: hFile=0x1b0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0077.488] WriteFile (in: hFile=0x1c8, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0077.506] ReadFile (in: hFile=0x1b0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0077.506] WriteFile (in: hFile=0x1c8, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0077.507] SetEndOfFile (hFile=0x1c8) returned 1 [0077.507] CloseHandle (hObject=0x1c8) returned 1 [0078.028] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.028] SetEndOfFile (hFile=0x1b0) returned 1 [0078.038] CloseHandle (hObject=0x1b0) returned 1 [0078.038] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0078.249] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0078.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.249] lstrlenW (lpString=".doc") returned 4 [0078.249] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0078.249] lstrlenW (lpString=".docx") returned 5 [0078.249] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0078.249] lstrlenW (lpString=".pdf") returned 4 [0078.249] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0078.249] lstrlenW (lpString=".xls") returned 4 [0078.249] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0078.249] lstrlenW (lpString=".xlsx") returned 5 [0078.249] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0078.249] lstrlenW (lpString=".ppt") returned 4 [0078.249] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0078.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.249] lstrlenW (lpString=".zip") returned 4 [0078.249] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0078.249] lstrlenW (lpString=".rar") returned 4 [0078.249] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0078.249] lstrlenW (lpString=".bz2") returned 4 [0078.249] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0078.249] lstrlenW (lpString=".7z") returned 3 [0078.249] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0078.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.249] lstrlenW (lpString=".dbf") returned 4 [0078.249] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString=".1cd") returned 4 [0078.250] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString=".jpg") returned 4 [0078.250] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString=".doc") returned 4 [0078.250] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString=".docx") returned 5 [0078.250] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0078.250] lstrlenW (lpString=".pdf") returned 4 [0078.250] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0078.250] lstrlenW (lpString=".xls") returned 4 [0078.250] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0078.250] lstrlenW (lpString=".xlsx") returned 5 [0078.250] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0078.250] lstrlenW (lpString=".ppt") returned 4 [0078.250] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString=".zip") returned 4 [0078.250] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0078.250] lstrlenW (lpString=".rar") returned 4 [0078.250] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0078.250] lstrlenW (lpString=".bz2") returned 4 [0078.250] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString=".7z") returned 3 [0078.250] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.250] lstrlenW (lpString=".dbf") returned 4 [0078.250] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0078.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.251] lstrlenW (lpString=".1cd") returned 4 [0078.251] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0078.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0078.251] lstrlenW (lpString=".jpg") returned 4 [0078.251] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0078.251] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0078.251] lstrlenW (lpString="Proof.msi") returned 9 [0078.251] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.251] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=881152) returned 1 [0078.251] CloseHandle (hObject=0x208) returned 1 [0078.251] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0078.251] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0078.252] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0078.252] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.252] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.252] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0078.252] GetLastError () returned 0x0 [0078.252] ReadFile (in: hFile=0x208, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xd7200, lpOverlapped=0x0) returned 1 [0078.338] WriteFile (in: hFile=0x1b0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0078.665] ReadFile (in: hFile=0x208, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0078.665] WriteFile (in: hFile=0x1b0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0078.665] SetEndOfFile (hFile=0x1b0) returned 1 [0078.666] CloseHandle (hObject=0x1b0) returned 1 [0078.679] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0078.679] SetEndOfFile (hFile=0x208) returned 1 [0078.689] CloseHandle (hObject=0x208) returned 1 [0078.689] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0078.689] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0078.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.690] lstrlenW (lpString=".doc") returned 4 [0078.690] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0078.690] lstrlenW (lpString=".docx") returned 5 [0078.690] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0078.690] lstrlenW (lpString=".pdf") returned 4 [0078.690] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0078.690] lstrlenW (lpString=".xls") returned 4 [0078.690] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0078.690] lstrlenW (lpString=".xlsx") returned 5 [0078.690] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0078.690] lstrlenW (lpString=".ppt") returned 4 [0078.690] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0078.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.690] lstrlenW (lpString=".zip") returned 4 [0078.690] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0078.690] lstrlenW (lpString=".rar") returned 4 [0078.690] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0078.690] lstrlenW (lpString=".bz2") returned 4 [0078.690] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0078.690] lstrlenW (lpString=".7z") returned 3 [0078.690] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0078.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.690] lstrlenW (lpString=".dbf") returned 4 [0078.690] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0078.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.690] lstrlenW (lpString=".1cd") returned 4 [0078.690] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0078.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.691] lstrlenW (lpString=".jpg") returned 4 [0078.691] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0078.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.691] lstrlenW (lpString=".doc") returned 4 [0078.691] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0078.691] lstrlenW (lpString=".docx") returned 5 [0078.691] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0078.691] lstrlenW (lpString=".pdf") returned 4 [0078.691] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0078.691] lstrlenW (lpString=".xls") returned 4 [0078.691] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0078.691] lstrlenW (lpString=".xlsx") returned 5 [0078.691] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0078.691] lstrlenW (lpString=".ppt") returned 4 [0078.691] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0078.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.691] lstrlenW (lpString=".zip") returned 4 [0078.691] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0078.691] lstrlenW (lpString=".rar") returned 4 [0078.691] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0078.691] lstrlenW (lpString=".bz2") returned 4 [0078.691] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0078.691] lstrlenW (lpString=".7z") returned 3 [0078.691] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0078.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.692] lstrlenW (lpString=".dbf") returned 4 [0078.692] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0078.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.692] lstrlenW (lpString=".1cd") returned 4 [0078.692] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0078.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0078.692] lstrlenW (lpString=".jpg") returned 4 [0078.693] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0078.693] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0078.693] lstrlenW (lpString="Proof.msi") returned 9 [0078.693] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.085] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=885760) returned 1 [0079.085] CloseHandle (hObject=0x1f0) returned 1 [0079.085] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0079.085] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.085] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.085] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.085] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.085] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0079.086] GetLastError () returned 0x0 [0079.086] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xd8400, lpOverlapped=0x0) returned 1 [0079.115] WriteFile (in: hFile=0x208, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0079.276] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0079.276] WriteFile (in: hFile=0x208, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0079.277] SetEndOfFile (hFile=0x208) returned 1 [0079.277] CloseHandle (hObject=0x208) returned 1 [0079.287] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.287] SetEndOfFile (hFile=0x1f0) returned 1 [0079.296] CloseHandle (hObject=0x1f0) returned 1 [0079.296] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0079.296] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0079.296] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.296] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.296] lstrlenW (lpString=".doc") returned 4 [0079.296] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0079.296] lstrlenW (lpString=".docx") returned 5 [0079.297] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0079.297] lstrlenW (lpString=".pdf") returned 4 [0079.297] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0079.297] lstrlenW (lpString=".xls") returned 4 [0079.297] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0079.297] lstrlenW (lpString=".xlsx") returned 5 [0079.297] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0079.297] lstrlenW (lpString=".ppt") returned 4 [0079.297] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.297] lstrlenW (lpString=".zip") returned 4 [0079.297] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0079.297] lstrlenW (lpString=".rar") returned 4 [0079.297] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0079.297] lstrlenW (lpString=".bz2") returned 4 [0079.297] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0079.297] lstrlenW (lpString=".7z") returned 3 [0079.297] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.297] lstrlenW (lpString=".dbf") returned 4 [0079.297] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.297] lstrlenW (lpString=".1cd") returned 4 [0079.297] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.297] lstrlenW (lpString=".jpg") returned 4 [0079.297] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.297] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.298] lstrlenW (lpString=".doc") returned 4 [0079.298] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0079.298] lstrlenW (lpString=".docx") returned 5 [0079.298] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0079.298] lstrlenW (lpString=".pdf") returned 4 [0079.298] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0079.298] lstrlenW (lpString=".xls") returned 4 [0079.298] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0079.298] lstrlenW (lpString=".xlsx") returned 5 [0079.298] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0079.298] lstrlenW (lpString=".ppt") returned 4 [0079.298] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0079.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.298] lstrlenW (lpString=".zip") returned 4 [0079.298] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0079.298] lstrlenW (lpString=".rar") returned 4 [0079.298] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0079.298] lstrlenW (lpString=".bz2") returned 4 [0079.298] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0079.298] lstrlenW (lpString=".7z") returned 3 [0079.298] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0079.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.298] lstrlenW (lpString=".dbf") returned 4 [0079.298] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0079.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.298] lstrlenW (lpString=".1cd") returned 4 [0079.298] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0079.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0079.298] lstrlenW (lpString=".jpg") returned 4 [0079.298] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0079.298] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0079.299] lstrlenW (lpString="Proofing.msi") returned 12 [0079.299] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.299] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=868864) returned 1 [0079.299] CloseHandle (hObject=0x1f0) returned 1 [0079.299] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0079.299] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.299] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.299] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.299] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.299] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0079.300] GetLastError () returned 0x0 [0079.300] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0079.326] WriteFile (in: hFile=0x208, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0079.347] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0079.348] WriteFile (in: hFile=0x208, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0079.348] SetEndOfFile (hFile=0x208) returned 1 [0079.348] CloseHandle (hObject=0x208) returned 1 [0079.653] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.653] SetEndOfFile (hFile=0x1f0) returned 1 [0079.665] CloseHandle (hObject=0x1f0) returned 1 [0079.665] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0079.665] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0079.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.666] lstrlenW (lpString=".doc") returned 4 [0079.666] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0079.666] lstrlenW (lpString=".docx") returned 5 [0079.666] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0079.666] lstrlenW (lpString=".pdf") returned 4 [0079.666] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0079.666] lstrlenW (lpString=".xls") returned 4 [0079.666] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0079.666] lstrlenW (lpString=".xlsx") returned 5 [0079.666] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0079.666] lstrlenW (lpString=".ppt") returned 4 [0079.666] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0079.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.666] lstrlenW (lpString=".zip") returned 4 [0079.666] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0079.666] lstrlenW (lpString=".rar") returned 4 [0079.666] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0079.666] lstrlenW (lpString=".bz2") returned 4 [0079.666] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0079.666] lstrlenW (lpString=".7z") returned 3 [0079.666] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0079.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.666] lstrlenW (lpString=".dbf") returned 4 [0079.666] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0079.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.667] lstrlenW (lpString=".1cd") returned 4 [0079.667] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0079.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.667] lstrlenW (lpString=".jpg") returned 4 [0079.667] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0079.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.667] lstrlenW (lpString=".doc") returned 4 [0079.667] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0079.667] lstrlenW (lpString=".docx") returned 5 [0079.667] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0079.667] lstrlenW (lpString=".pdf") returned 4 [0079.667] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0079.667] lstrlenW (lpString=".xls") returned 4 [0079.667] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0079.667] lstrlenW (lpString=".xlsx") returned 5 [0079.667] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0079.667] lstrlenW (lpString=".ppt") returned 4 [0079.667] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0079.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.667] lstrlenW (lpString=".zip") returned 4 [0079.667] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0079.667] lstrlenW (lpString=".rar") returned 4 [0079.667] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0079.667] lstrlenW (lpString=".bz2") returned 4 [0079.667] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0079.668] lstrlenW (lpString=".7z") returned 3 [0079.668] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0079.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.668] lstrlenW (lpString=".dbf") returned 4 [0079.668] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0079.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.668] lstrlenW (lpString=".1cd") returned 4 [0079.668] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0079.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0079.668] lstrlenW (lpString=".jpg") returned 4 [0079.668] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0079.668] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0079.668] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0079.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.669] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=2928955) returned 1 [0079.669] CloseHandle (hObject=0x1f0) returned 1 [0079.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0079.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0079.669] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0079.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0079.670] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0079.671] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0079.671] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0079.896] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0079.896] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0079.927] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0079.927] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0079.927] ReadFile (in: hFile=0x1f0, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0079.947] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0079.947] WriteFile (in: hFile=0x1f0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0080.359] SetEndOfFile (hFile=0x1f0) returned 1 [0080.359] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0080.362] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0080.362] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.364] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0080.364] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.371] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0080.371] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0080.374] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0080.374] CloseHandle (hObject=0x1f0) returned 1 [0081.486] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0081.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.487] lstrlenW (lpString=".doc") returned 4 [0081.487] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString=".docx") returned 5 [0081.487] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0081.487] lstrlenW (lpString=".pdf") returned 4 [0081.487] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString=".xls") returned 4 [0081.487] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString=".xlsx") returned 5 [0081.487] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0081.487] lstrlenW (lpString=".ppt") returned 4 [0081.487] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.487] lstrlenW (lpString=".zip") returned 4 [0081.487] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString=".rar") returned 4 [0081.487] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.487] lstrlenW (lpString=".bz2") returned 4 [0081.487] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.487] lstrlenW (lpString=".7z") returned 3 [0081.487] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.487] lstrlenW (lpString=".dbf") returned 4 [0081.488] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.488] lstrlenW (lpString=".1cd") returned 4 [0081.488] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.488] lstrlenW (lpString=".jpg") returned 4 [0081.488] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.488] lstrlenW (lpString=".doc") returned 4 [0081.488] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString=".docx") returned 5 [0081.488] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0081.488] lstrlenW (lpString=".pdf") returned 4 [0081.488] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString=".xls") returned 4 [0081.488] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString=".xlsx") returned 5 [0081.488] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0081.488] lstrlenW (lpString=".ppt") returned 4 [0081.488] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.488] lstrlenW (lpString=".zip") returned 4 [0081.488] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString=".rar") returned 4 [0081.488] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0081.488] lstrlenW (lpString=".bz2") returned 4 [0081.489] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0081.489] lstrlenW (lpString=".7z") returned 3 [0081.489] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0081.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.489] lstrlenW (lpString=".dbf") returned 4 [0081.489] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0081.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.489] lstrlenW (lpString=".1cd") returned 4 [0081.489] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0081.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0081.489] lstrlenW (lpString=".jpg") returned 4 [0081.489] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0081.489] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0081.489] lstrlenW (lpString="VisioLR.cab") returned 11 [0081.489] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0081.490] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=50823389) returned 1 [0081.490] CloseHandle (hObject=0x1f0) returned 1 [0081.490] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0081.490] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0081.490] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0081.491] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0081.491] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0081.491] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0081.491] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0081.794] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0081.794] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0081.941] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0081.941] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0081.941] ReadFile (in: hFile=0x1f0, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.442] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0082.442] WriteFile (in: hFile=0x1f0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0082.468] SetEndOfFile (hFile=0x1f0) returned 1 [0082.468] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0082.468] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0082.468] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.597] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0082.597] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.598] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0082.598] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0082.603] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0082.603] CloseHandle (hObject=0x1f0) returned 1 [0082.603] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0082.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.604] lstrlenW (lpString=".doc") returned 4 [0082.604] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString=".docx") returned 5 [0082.604] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.604] lstrlenW (lpString=".pdf") returned 4 [0082.604] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString=".xls") returned 4 [0082.604] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString=".xlsx") returned 5 [0082.604] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.604] lstrlenW (lpString=".ppt") returned 4 [0082.604] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.604] lstrlenW (lpString=".zip") returned 4 [0082.604] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString=".rar") returned 4 [0082.604] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.604] lstrlenW (lpString=".bz2") returned 4 [0082.605] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.605] lstrlenW (lpString=".7z") returned 3 [0082.605] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.605] lstrlenW (lpString=".dbf") returned 4 [0082.605] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.605] lstrlenW (lpString=".1cd") returned 4 [0082.605] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.605] lstrlenW (lpString=".jpg") returned 4 [0082.605] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.605] lstrlenW (lpString=".doc") returned 4 [0082.605] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString=".docx") returned 5 [0082.605] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0082.605] lstrlenW (lpString=".pdf") returned 4 [0082.605] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString=".xls") returned 4 [0082.605] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString=".xlsx") returned 5 [0082.605] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0082.605] lstrlenW (lpString=".ppt") returned 4 [0082.605] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0082.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.606] lstrlenW (lpString=".zip") returned 4 [0082.606] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0082.606] lstrlenW (lpString=".rar") returned 4 [0082.606] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0082.606] lstrlenW (lpString=".bz2") returned 4 [0082.606] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0082.606] lstrlenW (lpString=".7z") returned 3 [0082.606] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0082.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.606] lstrlenW (lpString=".dbf") returned 4 [0082.606] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0082.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.606] lstrlenW (lpString=".1cd") returned 4 [0082.606] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0082.606] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0082.606] lstrlenW (lpString=".jpg") returned 4 [0082.606] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0082.606] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0082.606] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0082.606] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0082.865] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=2511872) returned 1 [0082.865] CloseHandle (hObject=0x1f0) returned 1 [0082.865] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0082.865] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0082.865] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0082.866] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0082.866] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0082.866] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0082.866] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.936] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0082.936] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0082.955] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0082.956] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0082.956] ReadFile (in: hFile=0x1f0, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.789] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.789] WriteFile (in: hFile=0x1f0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0083.809] SetEndOfFile (hFile=0x1f0) returned 1 [0083.809] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0083.809] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0083.809] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.811] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0083.811] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.819] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0083.819] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0083.822] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0083.822] CloseHandle (hObject=0x1f0) returned 1 [0083.822] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0083.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.822] lstrlenW (lpString=".doc") returned 4 [0083.822] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString=".docx") returned 5 [0083.823] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.823] lstrlenW (lpString=".pdf") returned 4 [0083.823] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.823] lstrlenW (lpString=".xls") returned 4 [0083.823] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.823] lstrlenW (lpString=".xlsx") returned 5 [0083.823] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.823] lstrlenW (lpString=".ppt") returned 4 [0083.823] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString=".zip") returned 4 [0083.823] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.823] lstrlenW (lpString=".rar") returned 4 [0083.823] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.823] lstrlenW (lpString=".bz2") returned 4 [0083.823] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString=".7z") returned 3 [0083.823] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString=".dbf") returned 4 [0083.823] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString=".1cd") returned 4 [0083.823] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString=".jpg") returned 4 [0083.823] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.823] lstrlenW (lpString=".doc") returned 4 [0083.823] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0083.823] lstrlenW (lpString=".docx") returned 5 [0083.823] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0083.823] lstrlenW (lpString=".pdf") returned 4 [0083.824] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0083.824] lstrlenW (lpString=".xls") returned 4 [0083.824] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0083.824] lstrlenW (lpString=".xlsx") returned 5 [0083.824] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0083.824] lstrlenW (lpString=".ppt") returned 4 [0083.824] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0083.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.824] lstrlenW (lpString=".zip") returned 4 [0083.824] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0083.824] lstrlenW (lpString=".rar") returned 4 [0083.824] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0083.824] lstrlenW (lpString=".bz2") returned 4 [0083.824] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0083.824] lstrlenW (lpString=".7z") returned 3 [0083.824] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0083.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.824] lstrlenW (lpString=".dbf") returned 4 [0083.824] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0083.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.824] lstrlenW (lpString=".1cd") returned 4 [0083.824] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0083.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0083.824] lstrlenW (lpString=".jpg") returned 4 [0083.824] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0083.824] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0083.824] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0083.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0083.825] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=2507776) returned 1 [0083.825] CloseHandle (hObject=0x1f0) returned 1 [0083.825] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0083.825] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0083.825] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0083.885] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0083.885] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0083.885] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0083.885] ReadFile (in: hFile=0x1f0, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.890] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0083.890] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.905] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0083.905] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0083.905] ReadFile (in: hFile=0x1f0, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0083.929] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0083.929] WriteFile (in: hFile=0x1f0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0084.157] SetEndOfFile (hFile=0x1f0) returned 1 [0084.158] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0084.158] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0084.158] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.159] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0084.159] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0084.166] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0084.166] WriteFile (in: hFile=0x1f0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0085.223] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0085.223] CloseHandle (hObject=0x1f0) returned 1 [0085.224] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0085.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.224] lstrlenW (lpString=".doc") returned 4 [0085.224] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0085.224] lstrlenW (lpString=".docx") returned 5 [0085.224] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0085.224] lstrlenW (lpString=".pdf") returned 4 [0085.224] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0085.224] lstrlenW (lpString=".xls") returned 4 [0085.224] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0085.224] lstrlenW (lpString=".xlsx") returned 5 [0085.224] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0085.224] lstrlenW (lpString=".ppt") returned 4 [0085.225] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString=".zip") returned 4 [0085.225] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0085.225] lstrlenW (lpString=".rar") returned 4 [0085.225] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0085.225] lstrlenW (lpString=".bz2") returned 4 [0085.225] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0085.225] lstrlenW (lpString=".7z") returned 3 [0085.225] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString=".dbf") returned 4 [0085.225] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString=".1cd") returned 4 [0085.225] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString=".jpg") returned 4 [0085.225] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.225] lstrlenW (lpString=".doc") returned 4 [0085.225] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0085.225] lstrlenW (lpString=".docx") returned 5 [0085.225] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0085.225] lstrlenW (lpString=".pdf") returned 4 [0085.226] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0085.226] lstrlenW (lpString=".xls") returned 4 [0085.226] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0085.226] lstrlenW (lpString=".xlsx") returned 5 [0085.226] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0085.226] lstrlenW (lpString=".ppt") returned 4 [0085.226] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0085.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.226] lstrlenW (lpString=".zip") returned 4 [0085.226] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0085.226] lstrlenW (lpString=".rar") returned 4 [0085.226] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0085.226] lstrlenW (lpString=".bz2") returned 4 [0085.226] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0085.226] lstrlenW (lpString=".7z") returned 3 [0085.226] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0085.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.226] lstrlenW (lpString=".dbf") returned 4 [0085.226] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0085.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.226] lstrlenW (lpString=".1cd") returned 4 [0085.226] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0085.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0085.226] lstrlenW (lpString=".jpg") returned 4 [0085.226] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0085.227] lstrcmpiW (lpString1=".exe", lpString2=".mnbzr") returned -1 [0085.227] lstrlenW (lpString="dwtrig20.exe") returned 12 [0085.227] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.031] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=519584) returned 1 [0086.031] CloseHandle (hObject=0x20c) returned 1 [0086.031] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0086.031] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.031] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.031] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.031] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.031] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0086.032] GetLastError () returned 0x0 [0086.032] ReadFile (in: hFile=0x20c, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0086.046] WriteFile (in: hFile=0x1fc, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0086.058] ReadFile (in: hFile=0x20c, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.058] WriteFile (in: hFile=0x1fc, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0086.059] SetEndOfFile (hFile=0x1fc) returned 1 [0086.059] CloseHandle (hObject=0x1fc) returned 1 [0086.059] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.059] SetEndOfFile (hFile=0x20c) returned 1 [0086.065] CloseHandle (hObject=0x20c) returned 1 [0086.065] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.065] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0086.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.066] lstrlenW (lpString=".doc") returned 4 [0086.066] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0086.066] lstrlenW (lpString=".docx") returned 5 [0086.066] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0086.066] lstrlenW (lpString=".pdf") returned 4 [0086.066] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0086.066] lstrlenW (lpString=".xls") returned 4 [0086.066] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0086.066] lstrlenW (lpString=".xlsx") returned 5 [0086.066] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0086.066] lstrlenW (lpString=".ppt") returned 4 [0086.066] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0086.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.066] lstrlenW (lpString=".zip") returned 4 [0086.066] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0086.066] lstrlenW (lpString=".rar") returned 4 [0086.066] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0086.066] lstrlenW (lpString=".bz2") returned 4 [0086.066] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0086.066] lstrlenW (lpString=".7z") returned 3 [0086.066] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0086.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.066] lstrlenW (lpString=".dbf") returned 4 [0086.067] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0086.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.067] lstrlenW (lpString=".1cd") returned 4 [0086.067] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0086.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.067] lstrlenW (lpString=".jpg") returned 4 [0086.067] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0086.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.067] lstrlenW (lpString=".doc") returned 4 [0086.067] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0086.067] lstrlenW (lpString=".docx") returned 5 [0086.067] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0086.067] lstrlenW (lpString=".pdf") returned 4 [0086.067] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0086.067] lstrlenW (lpString=".xls") returned 4 [0086.067] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0086.067] lstrlenW (lpString=".xlsx") returned 5 [0086.067] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0086.067] lstrlenW (lpString=".ppt") returned 4 [0086.067] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0086.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.067] lstrlenW (lpString=".zip") returned 4 [0086.067] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0086.067] lstrlenW (lpString=".rar") returned 4 [0086.068] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0086.068] lstrlenW (lpString=".bz2") returned 4 [0086.068] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0086.068] lstrlenW (lpString=".7z") returned 3 [0086.068] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0086.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.068] lstrlenW (lpString=".dbf") returned 4 [0086.068] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0086.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.068] lstrlenW (lpString=".1cd") returned 4 [0086.068] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0086.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0086.068] lstrlenW (lpString=".jpg") returned 4 [0086.068] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0086.068] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0086.068] lstrlenW (lpString="OfficeLR.cab") returned 12 [0086.068] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.069] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=14127746) returned 1 [0086.069] CloseHandle (hObject=0x20c) returned 1 [0086.069] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0086.069] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.069] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0086.070] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.070] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0086.070] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0086.070] ReadFile (in: hFile=0x20c, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.339] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0086.339] ReadFile (in: hFile=0x20c, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0086.346] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0086.346] ReadFile (in: hFile=0x20c, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.365] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.365] WriteFile (in: hFile=0x20c, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0086.476] SetEndOfFile (hFile=0x20c) returned 1 [0086.476] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40a97c0 [0086.675] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0086.675] WriteFile (in: hFile=0x20c, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.676] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0086.676] WriteFile (in: hFile=0x20c, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.677] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0086.677] WriteFile (in: hFile=0x20c, lpBuffer=0x40a97c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40a97c0*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0086.680] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40a97c0 | out: hHeap=0x240000) returned 1 [0086.680] CloseHandle (hObject=0x20c) returned 1 [0086.681] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.681] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.681] lstrlenW (lpString=".doc") returned 4 [0086.681] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0086.681] lstrlenW (lpString=".docx") returned 5 [0086.681] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0086.681] lstrlenW (lpString=".pdf") returned 4 [0086.681] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0086.681] lstrlenW (lpString=".xls") returned 4 [0086.681] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0086.681] lstrlenW (lpString=".xlsx") returned 5 [0086.681] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0086.681] lstrlenW (lpString=".ppt") returned 4 [0086.682] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString=".zip") returned 4 [0086.682] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString=".rar") returned 4 [0086.682] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString=".bz2") returned 4 [0086.682] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0086.682] lstrlenW (lpString=".7z") returned 3 [0086.682] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString=".dbf") returned 4 [0086.682] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString=".1cd") returned 4 [0086.682] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString=".jpg") returned 4 [0086.682] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.682] lstrlenW (lpString=".doc") returned 4 [0086.682] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0086.682] lstrlenW (lpString=".docx") returned 5 [0086.682] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0086.682] lstrlenW (lpString=".pdf") returned 4 [0086.683] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString=".xls") returned 4 [0086.683] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString=".xlsx") returned 5 [0086.683] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0086.683] lstrlenW (lpString=".ppt") returned 4 [0086.683] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.683] lstrlenW (lpString=".zip") returned 4 [0086.683] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString=".rar") returned 4 [0086.683] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString=".bz2") returned 4 [0086.683] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0086.683] lstrlenW (lpString=".7z") returned 3 [0086.683] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0086.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.683] lstrlenW (lpString=".dbf") returned 4 [0086.683] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0086.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.683] lstrlenW (lpString=".1cd") returned 4 [0086.683] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0086.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0086.683] lstrlenW (lpString=".jpg") returned 4 [0086.683] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0086.684] lstrcmpiW (lpString1=".MST", lpString2=".mnbzr") returned 1 [0086.684] lstrlenW (lpString="ShellUI.MST") returned 11 [0086.684] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.684] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=3584) returned 1 [0086.684] CloseHandle (hObject=0x20c) returned 1 [0086.684] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0086.684] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0086.685] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.685] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.685] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0086.685] GetLastError () returned 0x0 [0086.685] ReadFile (in: hFile=0x20c, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xe00, lpOverlapped=0x0) returned 1 [0086.690] WriteFile (in: hFile=0x1d4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xe10, lpOverlapped=0x0) returned 1 [0086.691] ReadFile (in: hFile=0x20c, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0086.691] WriteFile (in: hFile=0x1d4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0086.691] SetEndOfFile (hFile=0x1d4) returned 1 [0086.692] CloseHandle (hObject=0x1d4) returned 1 [0086.693] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0086.693] SetEndOfFile (hFile=0x20c) returned 1 [0086.694] CloseHandle (hObject=0x20c) returned 1 [0086.694] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0086.694] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0086.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.695] lstrlenW (lpString=".doc") returned 4 [0086.695] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0086.695] lstrlenW (lpString=".docx") returned 5 [0086.695] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0086.695] lstrlenW (lpString=".pdf") returned 4 [0086.695] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0086.695] lstrlenW (lpString=".xls") returned 4 [0086.695] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0086.695] lstrlenW (lpString=".xlsx") returned 5 [0086.695] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0086.695] lstrlenW (lpString=".ppt") returned 4 [0086.695] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0086.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.695] lstrlenW (lpString=".zip") returned 4 [0086.695] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0086.695] lstrlenW (lpString=".rar") returned 4 [0086.695] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0086.695] lstrlenW (lpString=".bz2") returned 4 [0086.695] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0086.695] lstrlenW (lpString=".7z") returned 3 [0086.696] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0086.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.696] lstrlenW (lpString=".dbf") returned 4 [0086.696] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0086.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.696] lstrlenW (lpString=".1cd") returned 4 [0086.696] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0086.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.696] lstrlenW (lpString=".jpg") returned 4 [0086.696] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0086.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.696] lstrlenW (lpString=".doc") returned 4 [0086.696] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0086.696] lstrlenW (lpString=".docx") returned 5 [0086.696] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0086.696] lstrlenW (lpString=".pdf") returned 4 [0086.696] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0086.697] lstrlenW (lpString=".xls") returned 4 [0086.697] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0086.697] lstrlenW (lpString=".xlsx") returned 5 [0086.697] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0086.697] lstrlenW (lpString=".ppt") returned 4 [0086.697] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0086.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.697] lstrlenW (lpString=".zip") returned 4 [0086.697] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0086.697] lstrlenW (lpString=".rar") returned 4 [0086.697] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0086.697] lstrlenW (lpString=".bz2") returned 4 [0086.697] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0086.697] lstrlenW (lpString=".7z") returned 3 [0086.697] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0086.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.697] lstrlenW (lpString=".dbf") returned 4 [0086.697] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0086.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.697] lstrlenW (lpString=".1cd") returned 4 [0086.697] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0086.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0086.697] lstrlenW (lpString=".jpg") returned 4 [0086.697] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0086.698] lstrcmpiW (lpString1=".msi", lpString2=".mnbzr") returned 1 [0086.698] lstrlenW (lpString="AccessMUI.msi") returned 13 [0086.698] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0086.767] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=2517504) returned 1 [0086.767] CloseHandle (hObject=0x1d0) returned 1 [0086.767] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0086.767] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0086.767] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0086.768] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0086.768] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0086.768] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0086.768] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0086.786] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0086.786] ReadFile (in: hFile=0x1d0, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0087.102] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0087.102] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0087.102] ReadFile (in: hFile=0x1d0, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0087.124] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0087.124] WriteFile (in: hFile=0x1d0, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0087.228] SetEndOfFile (hFile=0x1d0) returned 1 [0087.228] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x40000) returned 0x40697b8 [0087.228] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0087.228] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.230] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0087.230] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.237] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc7c | out: lpNewFilePointer=0x0) returned 1 [0087.237] WriteFile (in: hFile=0x1d0, lpBuffer=0x40697b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38dfc88, lpOverlapped=0x0 | out: lpBuffer=0x40697b8*, lpNumberOfBytesWritten=0x38dfc88*=0x40000, lpOverlapped=0x0) returned 1 [0087.240] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0087.240] CloseHandle (hObject=0x1d0) returned 1 [0087.241] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0087.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.359] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.359] lstrlenW (lpString=".doc") returned 4 [0087.359] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0087.359] lstrlenW (lpString=".docx") returned 5 [0087.360] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0087.360] lstrlenW (lpString=".pdf") returned 4 [0087.360] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0087.360] lstrlenW (lpString=".xls") returned 4 [0087.360] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0087.360] lstrlenW (lpString=".xlsx") returned 5 [0087.360] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0087.360] lstrlenW (lpString=".ppt") returned 4 [0087.360] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0087.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.360] lstrlenW (lpString=".zip") returned 4 [0087.360] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0087.360] lstrlenW (lpString=".rar") returned 4 [0087.360] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0087.360] lstrlenW (lpString=".bz2") returned 4 [0087.360] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0087.360] lstrlenW (lpString=".7z") returned 3 [0087.360] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0087.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.360] lstrlenW (lpString=".dbf") returned 4 [0087.360] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0087.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.360] lstrlenW (lpString=".1cd") returned 4 [0087.360] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0087.360] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.360] lstrlenW (lpString=".jpg") returned 4 [0087.360] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0087.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.361] lstrlenW (lpString=".doc") returned 4 [0087.361] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0087.361] lstrlenW (lpString=".docx") returned 5 [0087.361] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0087.361] lstrlenW (lpString=".pdf") returned 4 [0087.361] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0087.361] lstrlenW (lpString=".xls") returned 4 [0087.361] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0087.361] lstrlenW (lpString=".xlsx") returned 5 [0087.361] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0087.361] lstrlenW (lpString=".ppt") returned 4 [0087.361] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0087.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.361] lstrlenW (lpString=".zip") returned 4 [0087.361] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0087.361] lstrlenW (lpString=".rar") returned 4 [0087.361] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0087.361] lstrlenW (lpString=".bz2") returned 4 [0087.361] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0087.361] lstrlenW (lpString=".7z") returned 3 [0087.361] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0087.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.361] lstrlenW (lpString=".dbf") returned 4 [0087.361] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0087.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.362] lstrlenW (lpString=".1cd") returned 4 [0087.362] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0087.362] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0087.362] lstrlenW (lpString=".jpg") returned 4 [0087.362] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0087.366] lstrcmpiW (lpString1=".exe", lpString2=".mnbzr") returned -1 [0087.366] lstrlenW (lpString="ose.exe") returned 7 [0087.366] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0087.660] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=174440) returned 1 [0087.660] CloseHandle (hObject=0x200) returned 1 [0087.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0087.660] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0087.665] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0087.669] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0087.669] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0087.669] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0088.221] GetLastError () returned 0x0 [0088.221] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0088.400] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0088.403] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0088.403] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0088.403] SetEndOfFile (hFile=0x1b4) returned 1 [0088.403] CloseHandle (hObject=0x1b4) returned 1 [0088.403] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0088.404] SetEndOfFile (hFile=0x1d0) returned 1 [0088.405] CloseHandle (hObject=0x1d0) returned 1 [0088.406] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0088.406] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0088.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.406] lstrlenW (lpString=".doc") returned 4 [0088.406] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0088.406] lstrlenW (lpString=".docx") returned 5 [0088.406] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0088.406] lstrlenW (lpString=".pdf") returned 4 [0088.406] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0088.406] lstrlenW (lpString=".xls") returned 4 [0088.406] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0088.406] lstrlenW (lpString=".xlsx") returned 5 [0088.407] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0088.407] lstrlenW (lpString=".ppt") returned 4 [0088.407] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString=".zip") returned 4 [0088.407] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0088.407] lstrlenW (lpString=".rar") returned 4 [0088.407] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0088.407] lstrlenW (lpString=".bz2") returned 4 [0088.407] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0088.407] lstrlenW (lpString=".7z") returned 3 [0088.407] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString=".dbf") returned 4 [0088.407] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString=".1cd") returned 4 [0088.407] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString=".jpg") returned 4 [0088.407] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.407] lstrlenW (lpString=".doc") returned 4 [0088.407] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0088.407] lstrlenW (lpString=".docx") returned 5 [0088.407] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0088.407] lstrlenW (lpString=".pdf") returned 4 [0088.407] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0088.407] lstrlenW (lpString=".xls") returned 4 [0088.408] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0088.408] lstrlenW (lpString=".xlsx") returned 5 [0088.408] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0088.408] lstrlenW (lpString=".ppt") returned 4 [0088.408] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0088.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.408] lstrlenW (lpString=".zip") returned 4 [0088.408] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0088.408] lstrlenW (lpString=".rar") returned 4 [0088.408] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0088.408] lstrlenW (lpString=".bz2") returned 4 [0088.408] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0088.408] lstrlenW (lpString=".7z") returned 3 [0088.408] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0088.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.408] lstrlenW (lpString=".dbf") returned 4 [0088.408] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0088.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.408] lstrlenW (lpString=".1cd") returned 4 [0088.408] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0088.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0088.408] lstrlenW (lpString=".jpg") returned 4 [0088.408] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0088.408] lstrcmpiW (lpString1=".dll", lpString2=".mnbzr") returned -1 [0088.408] lstrlenW (lpString="PidGenX.dll") returned 11 [0088.408] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0088.409] GetFileSizeEx (in: hFile=0x1d0, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=1463568) returned 1 [0088.409] CloseHandle (hObject=0x1d0) returned 1 [0088.409] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0088.409] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0088.409] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d0 [0088.409] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0088.409] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0088.409] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0088.410] GetLastError () returned 0x0 [0088.410] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0089.248] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0089.652] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x65520, lpOverlapped=0x0) returned 1 [0089.669] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0x65530, lpOverlapped=0x0) returned 1 [0090.126] ReadFile (in: hFile=0x1d0, lpBuffer=0x3e90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesRead=0x38dfed4*=0x0, lpOverlapped=0x0) returned 1 [0090.126] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x38dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0090.127] SetEndOfFile (hFile=0x1b4) returned 1 [0090.127] CloseHandle (hObject=0x1b4) returned 1 [0090.127] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0090.127] SetEndOfFile (hFile=0x1d0) returned 1 [0090.132] CloseHandle (hObject=0x1d0) returned 1 [0090.132] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", dwFileAttributes=0x2020) returned 1 [0090.133] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0090.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.133] lstrlenW (lpString=".doc") returned 4 [0090.133] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0090.133] lstrlenW (lpString=".docx") returned 5 [0090.133] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0090.133] lstrlenW (lpString=".pdf") returned 4 [0090.133] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0090.133] lstrlenW (lpString=".xls") returned 4 [0090.133] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0090.133] lstrlenW (lpString=".xlsx") returned 5 [0090.133] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0090.133] lstrlenW (lpString=".ppt") returned 4 [0090.133] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0090.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.133] lstrlenW (lpString=".zip") returned 4 [0090.133] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0090.133] lstrlenW (lpString=".rar") returned 4 [0090.133] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString=".bz2") returned 4 [0090.134] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0090.134] lstrlenW (lpString=".7z") returned 3 [0090.134] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString=".dbf") returned 4 [0090.134] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString=".1cd") returned 4 [0090.134] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString=".jpg") returned 4 [0090.134] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString=".doc") returned 4 [0090.134] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString=".docx") returned 5 [0090.134] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0090.134] lstrlenW (lpString=".pdf") returned 4 [0090.134] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString=".xls") returned 4 [0090.134] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString=".xlsx") returned 5 [0090.134] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0090.134] lstrlenW (lpString=".ppt") returned 4 [0090.134] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0090.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.134] lstrlenW (lpString=".zip") returned 4 [0090.134] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0090.135] lstrlenW (lpString=".rar") returned 4 [0090.135] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0090.135] lstrlenW (lpString=".bz2") returned 4 [0090.135] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0090.135] lstrlenW (lpString=".7z") returned 3 [0090.135] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0090.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.135] lstrlenW (lpString=".dbf") returned 4 [0090.135] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0090.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.135] lstrlenW (lpString=".1cd") returned 4 [0090.135] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0090.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0090.135] lstrlenW (lpString=".jpg") returned 4 [0090.135] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0090.135] lstrcmpiW (lpString1=".cab", lpString2=".mnbzr") returned -1 [0090.135] lstrlenW (lpString="ProPrWW.cab") returned 11 [0090.135] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0092.891] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x38dff1c | out: lpFileSize=0x38dff1c*=177720283) returned 1 [0092.891] CloseHandle (hObject=0x200) returned 1 [0092.891] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0092.892] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 0xffffffff [0092.892] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr")) returned 1 [0092.892] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[trfgklmbvzx@aol.com].mnbzr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0092.892] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0x0) returned 1 [0092.893] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0092.893] ReadFile (in: hFile=0x200, lpBuffer=0x3e90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e90058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.908] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0092.908] ReadFile (in: hFile=0x200, lpBuffer=0x3ed0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3ed0058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.914] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38dfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0092.915] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x38dfc2c | out: lpNewFilePointer=0x0) returned 1 [0092.915] ReadFile (in: hFile=0x200, lpBuffer=0x3f10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38dfc38, lpOverlapped=0x0 | out: lpBuffer=0x3f10058*, lpNumberOfBytesRead=0x38dfc38*=0x40000, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38dfec8 | out: lpNewFilePointer=0x0) returned 1 [0092.935] WriteFile (in: hFile=0x200, lpBuffer=0x3e90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x38dfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3e90020*, lpNumberOfBytesWritten=0x38dfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0093.279] SetEndOfFile (hFile=0x200) Thread: id = 19 os_tid = 0x738 [0067.405] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x32a2a18 [0067.405] lstrlenW (lpString="C:") returned 2 [0067.406] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3a1fd00 | out: lpFindFileData=0x3a1fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x2cef00 [0067.406] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0067.406] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0067.406] lstrlenW (lpString="$Recycle.Bin") returned 12 [0067.406] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0067.406] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x32b2a20 [0067.407] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0067.407] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x29b3f8 [0067.407] FindNextFileW (in: hFindFile=0x29b3f8, lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.407] FindNextFileW (in: hFindFile=0x29b3f8, lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x327f9c30, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x327f9c30, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0067.407] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0067.407] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0067.407] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0067.407] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0067.407] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xfffe) returned 0x3fa0048 [0067.408] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0067.408] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3a1f808 | out: lpFindFileData=0x3a1f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x327f9c30, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x32845ef0, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2cf018 [0067.408] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x3a1f808 | out: lpFindFileData=0x3a1f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x327f9c30, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x32845ef0, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.408] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x3a1f808 | out: lpFindFileData=0x3a1f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x327f9c30, ftCreationTime.dwHighDateTime=0x1d665ee, ftLastAccessTime.dwLowDateTime=0x327f9c30, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x32845ef0, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr", cAlternateFileName="DESKTO~1.MNB")) returned 1 [0067.408] lstrlenW (lpString="desktop.ini.id-9C354B42.[trfgklmbvzx@aol.com].mnbzr") returned 51 [0067.408] lstrlenW (lpString=".1cd") returned 4 [0067.408] lstrcmpiW (lpString1=".1cd", lpString2="nbzr") returned -1 [0067.408] lstrlenW (lpString=".3ds") returned 4 [0067.408] lstrcmpiW (lpString1=".3ds", lpString2="nbzr") returned -1 [0067.408] lstrlenW (lpString=".3fr") returned 4 [0067.408] lstrcmpiW (lpString1=".3fr", lpString2="nbzr") returned -1 [0067.408] lstrlenW (lpString=".3g2") returned 4 [0067.408] lstrcmpiW (lpString1=".3g2", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".3gp") returned 4 [0067.409] lstrcmpiW (lpString1=".3gp", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".7z") returned 3 [0067.409] lstrcmpiW (lpString1=".7z", lpString2="bzr") returned -1 [0067.409] lstrlenW (lpString=".accda") returned 6 [0067.409] lstrcmpiW (lpString1=".accda", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".accdb") returned 6 [0067.409] lstrcmpiW (lpString1=".accdb", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".accdc") returned 6 [0067.409] lstrcmpiW (lpString1=".accdc", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".accde") returned 6 [0067.409] lstrcmpiW (lpString1=".accde", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".accdt") returned 6 [0067.409] lstrcmpiW (lpString1=".accdt", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".accdw") returned 6 [0067.409] lstrcmpiW (lpString1=".accdw", lpString2=".mnbzr") returned -1 [0067.409] lstrlenW (lpString=".adb") returned 4 [0067.409] lstrcmpiW (lpString1=".adb", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".adp") returned 4 [0067.409] lstrcmpiW (lpString1=".adp", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai") returned 3 [0067.409] lstrcmpiW (lpString1=".ai", lpString2="bzr") returned -1 [0067.409] lstrlenW (lpString=".ai3") returned 4 [0067.409] lstrcmpiW (lpString1=".ai3", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai4") returned 4 [0067.409] lstrcmpiW (lpString1=".ai4", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai5") returned 4 [0067.409] lstrcmpiW (lpString1=".ai5", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai6") returned 4 [0067.409] lstrcmpiW (lpString1=".ai6", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai7") returned 4 [0067.409] lstrcmpiW (lpString1=".ai7", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".ai8") returned 4 [0067.409] lstrcmpiW (lpString1=".ai8", lpString2="nbzr") returned -1 [0067.409] lstrlenW (lpString=".anim") returned 5 [0067.410] lstrcmpiW (lpString1=".anim", lpString2="mnbzr") returned -1 [0067.410] lstrlenW (lpString=".arw") returned 4 [0067.410] lstrcmpiW (lpString1=".arw", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".as") returned 3 [0067.410] lstrcmpiW (lpString1=".as", lpString2="bzr") returned -1 [0067.410] lstrlenW (lpString=".asa") returned 4 [0067.410] lstrcmpiW (lpString1=".asa", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".asc") returned 4 [0067.410] lstrcmpiW (lpString1=".asc", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".ascx") returned 5 [0067.410] lstrcmpiW (lpString1=".ascx", lpString2="mnbzr") returned -1 [0067.410] lstrlenW (lpString=".asm") returned 4 [0067.410] lstrcmpiW (lpString1=".asm", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".asmx") returned 5 [0067.410] lstrcmpiW (lpString1=".asmx", lpString2="mnbzr") returned -1 [0067.410] lstrlenW (lpString=".asp") returned 4 [0067.410] lstrcmpiW (lpString1=".asp", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".aspx") returned 5 [0067.410] lstrcmpiW (lpString1=".aspx", lpString2="mnbzr") returned -1 [0067.410] lstrlenW (lpString=".asr") returned 4 [0067.410] lstrcmpiW (lpString1=".asr", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".asx") returned 4 [0067.410] lstrcmpiW (lpString1=".asx", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".avi") returned 4 [0067.410] lstrcmpiW (lpString1=".avi", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".avs") returned 4 [0067.410] lstrcmpiW (lpString1=".avs", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".backup") returned 7 [0067.410] lstrcmpiW (lpString1=".backup", lpString2="].mnbzr") returned -1 [0067.410] lstrlenW (lpString=".bak") returned 4 [0067.410] lstrcmpiW (lpString1=".bak", lpString2="nbzr") returned -1 [0067.410] lstrlenW (lpString=".bay") returned 4 [0067.411] lstrcmpiW (lpString1=".bay", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".bd") returned 3 [0067.411] lstrcmpiW (lpString1=".bd", lpString2="bzr") returned -1 [0067.411] lstrlenW (lpString=".bin") returned 4 [0067.411] lstrcmpiW (lpString1=".bin", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".bmp") returned 4 [0067.411] lstrcmpiW (lpString1=".bmp", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".bz2") returned 4 [0067.411] lstrcmpiW (lpString1=".bz2", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".c") returned 2 [0067.411] lstrcmpiW (lpString1=".c", lpString2="zr") returned -1 [0067.411] lstrlenW (lpString=".cdr") returned 4 [0067.411] lstrcmpiW (lpString1=".cdr", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".cer") returned 4 [0067.411] lstrcmpiW (lpString1=".cer", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".cf") returned 3 [0067.411] lstrcmpiW (lpString1=".cf", lpString2="bzr") returned -1 [0067.411] lstrlenW (lpString=".cfc") returned 4 [0067.411] lstrcmpiW (lpString1=".cfc", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".cfm") returned 4 [0067.411] lstrcmpiW (lpString1=".cfm", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".cfml") returned 5 [0067.411] lstrcmpiW (lpString1=".cfml", lpString2="mnbzr") returned -1 [0067.411] lstrlenW (lpString=".cfu") returned 4 [0067.411] lstrcmpiW (lpString1=".cfu", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".chm") returned 4 [0067.411] lstrcmpiW (lpString1=".chm", lpString2="nbzr") returned -1 [0067.411] lstrlenW (lpString=".cin") returned 4 [0067.411] lstrcmpiW (lpString1=".cin", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".class") returned 6 [0067.412] lstrcmpiW (lpString1=".class", lpString2=".mnbzr") returned -1 [0067.412] lstrlenW (lpString=".clx") returned 4 [0067.412] lstrcmpiW (lpString1=".clx", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".config") returned 7 [0067.412] lstrcmpiW (lpString1=".config", lpString2="].mnbzr") returned -1 [0067.412] lstrlenW (lpString=".cpp") returned 4 [0067.412] lstrcmpiW (lpString1=".cpp", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".cr2") returned 4 [0067.412] lstrcmpiW (lpString1=".cr2", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".crt") returned 4 [0067.412] lstrcmpiW (lpString1=".crt", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".crw") returned 4 [0067.412] lstrcmpiW (lpString1=".crw", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".cs") returned 3 [0067.412] lstrcmpiW (lpString1=".cs", lpString2="bzr") returned -1 [0067.412] lstrlenW (lpString=".css") returned 4 [0067.412] lstrcmpiW (lpString1=".css", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".csv") returned 4 [0067.412] lstrcmpiW (lpString1=".csv", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".cub") returned 4 [0067.412] lstrcmpiW (lpString1=".cub", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".dae") returned 4 [0067.412] lstrcmpiW (lpString1=".dae", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".dat") returned 4 [0067.412] lstrcmpiW (lpString1=".dat", lpString2="nbzr") returned -1 [0067.412] lstrlenW (lpString=".db") returned 3 [0067.412] lstrcmpiW (lpString1=".db", lpString2="bzr") returned -1 [0067.413] lstrlenW (lpString=".dbf") returned 4 [0067.413] lstrcmpiW (lpString1=".dbf", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dbx") returned 4 [0067.413] lstrcmpiW (lpString1=".dbx", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dc3") returned 4 [0067.413] lstrcmpiW (lpString1=".dc3", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dcm") returned 4 [0067.413] lstrcmpiW (lpString1=".dcm", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dcr") returned 4 [0067.413] lstrcmpiW (lpString1=".dcr", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".der") returned 4 [0067.413] lstrcmpiW (lpString1=".der", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dib") returned 4 [0067.413] lstrcmpiW (lpString1=".dib", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dic") returned 4 [0067.413] lstrcmpiW (lpString1=".dic", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".dif") returned 4 [0067.413] lstrcmpiW (lpString1=".dif", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".divx") returned 5 [0067.413] lstrcmpiW (lpString1=".divx", lpString2="mnbzr") returned -1 [0067.413] lstrlenW (lpString=".djvu") returned 5 [0067.413] lstrcmpiW (lpString1=".djvu", lpString2="mnbzr") returned -1 [0067.413] lstrlenW (lpString=".dng") returned 4 [0067.413] lstrcmpiW (lpString1=".dng", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".doc") returned 4 [0067.413] lstrcmpiW (lpString1=".doc", lpString2="nbzr") returned -1 [0067.413] lstrlenW (lpString=".docm") returned 5 [0067.414] lstrcmpiW (lpString1=".docm", lpString2="mnbzr") returned -1 [0067.414] lstrlenW (lpString=".docx") returned 5 [0067.414] lstrcmpiW (lpString1=".docx", lpString2="mnbzr") returned -1 [0067.414] lstrlenW (lpString=".dot") returned 4 [0067.414] lstrcmpiW (lpString1=".dot", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dotm") returned 5 [0067.414] lstrcmpiW (lpString1=".dotm", lpString2="mnbzr") returned -1 [0067.414] lstrlenW (lpString=".dotx") returned 5 [0067.414] lstrcmpiW (lpString1=".dotx", lpString2="mnbzr") returned -1 [0067.414] lstrlenW (lpString=".dpx") returned 4 [0067.414] lstrcmpiW (lpString1=".dpx", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dqy") returned 4 [0067.414] lstrcmpiW (lpString1=".dqy", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dsn") returned 4 [0067.414] lstrcmpiW (lpString1=".dsn", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dt") returned 3 [0067.414] lstrcmpiW (lpString1=".dt", lpString2="bzr") returned -1 [0067.414] lstrlenW (lpString=".dtd") returned 4 [0067.414] lstrcmpiW (lpString1=".dtd", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dwg") returned 4 [0067.414] lstrcmpiW (lpString1=".dwg", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dwt") returned 4 [0067.414] lstrcmpiW (lpString1=".dwt", lpString2="nbzr") returned -1 [0067.414] lstrlenW (lpString=".dx") returned 3 [0067.414] lstrcmpiW (lpString1=".dx", lpString2="bzr") returned -1 [0067.414] lstrlenW (lpString=".dxf") returned 4 [0067.414] lstrcmpiW (lpString1=".dxf", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".edml") returned 5 [0067.415] lstrcmpiW (lpString1=".edml", lpString2="mnbzr") returned -1 [0067.415] lstrlenW (lpString=".efd") returned 4 [0067.415] lstrcmpiW (lpString1=".efd", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".elf") returned 4 [0067.415] lstrcmpiW (lpString1=".elf", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".emf") returned 4 [0067.415] lstrcmpiW (lpString1=".emf", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".emz") returned 4 [0067.415] lstrcmpiW (lpString1=".emz", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".epf") returned 4 [0067.415] lstrcmpiW (lpString1=".epf", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".eps") returned 4 [0067.415] lstrcmpiW (lpString1=".eps", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".epsf") returned 5 [0067.415] lstrcmpiW (lpString1=".epsf", lpString2="mnbzr") returned -1 [0067.415] lstrlenW (lpString=".epsp") returned 5 [0067.415] lstrcmpiW (lpString1=".epsp", lpString2="mnbzr") returned -1 [0067.415] lstrlenW (lpString=".erf") returned 4 [0067.415] lstrcmpiW (lpString1=".erf", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".exr") returned 4 [0067.415] lstrcmpiW (lpString1=".exr", lpString2="nbzr") returned -1 [0067.415] lstrlenW (lpString=".f4v") returned 4 [0067.415] lstrcmpiW (lpString1=".f4v", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".fido") returned 5 [0067.416] lstrcmpiW (lpString1=".fido", lpString2="mnbzr") returned -1 [0067.416] lstrlenW (lpString=".flm") returned 4 [0067.416] lstrcmpiW (lpString1=".flm", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".flv") returned 4 [0067.416] lstrcmpiW (lpString1=".flv", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".frm") returned 4 [0067.416] lstrcmpiW (lpString1=".frm", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".fxg") returned 4 [0067.416] lstrcmpiW (lpString1=".fxg", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".geo") returned 4 [0067.416] lstrcmpiW (lpString1=".geo", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".gif") returned 4 [0067.416] lstrcmpiW (lpString1=".gif", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".grs") returned 4 [0067.416] lstrcmpiW (lpString1=".grs", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".gz") returned 3 [0067.416] lstrcmpiW (lpString1=".gz", lpString2="bzr") returned -1 [0067.416] lstrlenW (lpString=".h") returned 2 [0067.416] lstrcmpiW (lpString1=".h", lpString2="zr") returned -1 [0067.416] lstrlenW (lpString=".hdr") returned 4 [0067.416] lstrcmpiW (lpString1=".hdr", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".hpp") returned 4 [0067.416] lstrcmpiW (lpString1=".hpp", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".hta") returned 4 [0067.416] lstrcmpiW (lpString1=".hta", lpString2="nbzr") returned -1 [0067.416] lstrlenW (lpString=".htc") returned 4 [0067.417] lstrcmpiW (lpString1=".htc", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".htm") returned 4 [0067.417] lstrcmpiW (lpString1=".htm", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".html") returned 5 [0067.417] lstrcmpiW (lpString1=".html", lpString2="mnbzr") returned -1 [0067.417] lstrlenW (lpString=".icb") returned 4 [0067.417] lstrcmpiW (lpString1=".icb", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".ics") returned 4 [0067.417] lstrcmpiW (lpString1=".ics", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".iff") returned 4 [0067.417] lstrcmpiW (lpString1=".iff", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".inc") returned 4 [0067.417] lstrcmpiW (lpString1=".inc", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".indd") returned 5 [0067.417] lstrcmpiW (lpString1=".indd", lpString2="mnbzr") returned -1 [0067.417] lstrlenW (lpString=".ini") returned 4 [0067.417] lstrcmpiW (lpString1=".ini", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".iqy") returned 4 [0067.417] lstrcmpiW (lpString1=".iqy", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".j2c") returned 4 [0067.417] lstrcmpiW (lpString1=".j2c", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".j2k") returned 4 [0067.417] lstrcmpiW (lpString1=".j2k", lpString2="nbzr") returned -1 [0067.417] lstrlenW (lpString=".java") returned 5 [0067.417] lstrcmpiW (lpString1=".java", lpString2="mnbzr") returned -1 [0067.417] lstrlenW (lpString=".jp2") returned 4 [0067.417] lstrcmpiW (lpString1=".jp2", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".jpc") returned 4 [0067.418] lstrcmpiW (lpString1=".jpc", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".jpe") returned 4 [0067.418] lstrcmpiW (lpString1=".jpe", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".jpeg") returned 5 [0067.418] lstrcmpiW (lpString1=".jpeg", lpString2="mnbzr") returned -1 [0067.418] lstrlenW (lpString=".jpf") returned 4 [0067.418] lstrcmpiW (lpString1=".jpf", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".jpg") returned 4 [0067.418] lstrcmpiW (lpString1=".jpg", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".jpx") returned 4 [0067.418] lstrcmpiW (lpString1=".jpx", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".js") returned 3 [0067.418] lstrcmpiW (lpString1=".js", lpString2="bzr") returned -1 [0067.418] lstrlenW (lpString=".jsf") returned 4 [0067.418] lstrcmpiW (lpString1=".jsf", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".json") returned 5 [0067.418] lstrcmpiW (lpString1=".json", lpString2="mnbzr") returned -1 [0067.418] lstrlenW (lpString=".jsp") returned 4 [0067.418] lstrcmpiW (lpString1=".jsp", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".kdc") returned 4 [0067.418] lstrcmpiW (lpString1=".kdc", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".kmz") returned 4 [0067.418] lstrcmpiW (lpString1=".kmz", lpString2="nbzr") returned -1 [0067.418] lstrlenW (lpString=".kwm") returned 4 [0067.418] lstrcmpiW (lpString1=".kwm", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".lasso") returned 6 [0067.419] lstrcmpiW (lpString1=".lasso", lpString2=".mnbzr") returned -1 [0067.419] lstrlenW (lpString=".lbi") returned 4 [0067.419] lstrcmpiW (lpString1=".lbi", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".lgf") returned 4 [0067.419] lstrcmpiW (lpString1=".lgf", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".lgp") returned 4 [0067.419] lstrcmpiW (lpString1=".lgp", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".log") returned 4 [0067.419] lstrcmpiW (lpString1=".log", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".m1v") returned 4 [0067.419] lstrcmpiW (lpString1=".m1v", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".m4a") returned 4 [0067.419] lstrcmpiW (lpString1=".m4a", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".m4v") returned 4 [0067.419] lstrcmpiW (lpString1=".m4v", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".max") returned 4 [0067.419] lstrcmpiW (lpString1=".max", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".md") returned 3 [0067.419] lstrcmpiW (lpString1=".md", lpString2="bzr") returned -1 [0067.419] lstrlenW (lpString=".mda") returned 4 [0067.419] lstrcmpiW (lpString1=".mda", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".mdb") returned 4 [0067.419] lstrcmpiW (lpString1=".mdb", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".mde") returned 4 [0067.419] lstrcmpiW (lpString1=".mde", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".mdf") returned 4 [0067.419] lstrcmpiW (lpString1=".mdf", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".mdw") returned 4 [0067.419] lstrcmpiW (lpString1=".mdw", lpString2="nbzr") returned -1 [0067.419] lstrlenW (lpString=".mef") returned 4 [0067.419] lstrcmpiW (lpString1=".mef", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mft") returned 4 [0067.420] lstrcmpiW (lpString1=".mft", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mfw") returned 4 [0067.420] lstrcmpiW (lpString1=".mfw", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mht") returned 4 [0067.420] lstrcmpiW (lpString1=".mht", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mhtml") returned 6 [0067.420] lstrcmpiW (lpString1=".mhtml", lpString2=".mnbzr") returned -1 [0067.420] lstrlenW (lpString=".mka") returned 4 [0067.420] lstrcmpiW (lpString1=".mka", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mkidx") returned 6 [0067.420] lstrcmpiW (lpString1=".mkidx", lpString2=".mnbzr") returned -1 [0067.420] lstrlenW (lpString=".mkv") returned 4 [0067.420] lstrcmpiW (lpString1=".mkv", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mos") returned 4 [0067.420] lstrcmpiW (lpString1=".mos", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mov") returned 4 [0067.420] lstrcmpiW (lpString1=".mov", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mp3") returned 4 [0067.420] lstrcmpiW (lpString1=".mp3", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mp4") returned 4 [0067.420] lstrcmpiW (lpString1=".mp4", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mpeg") returned 5 [0067.420] lstrcmpiW (lpString1=".mpeg", lpString2="mnbzr") returned -1 [0067.420] lstrlenW (lpString=".mpg") returned 4 [0067.420] lstrcmpiW (lpString1=".mpg", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mpv") returned 4 [0067.420] lstrcmpiW (lpString1=".mpv", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".mrw") returned 4 [0067.420] lstrcmpiW (lpString1=".mrw", lpString2="nbzr") returned -1 [0067.420] lstrlenW (lpString=".msg") returned 4 [0067.421] lstrcmpiW (lpString1=".msg", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".mxl") returned 4 [0067.421] lstrcmpiW (lpString1=".mxl", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".myd") returned 4 [0067.421] lstrcmpiW (lpString1=".myd", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".myi") returned 4 [0067.421] lstrcmpiW (lpString1=".myi", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".nef") returned 4 [0067.421] lstrcmpiW (lpString1=".nef", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".nrw") returned 4 [0067.421] lstrcmpiW (lpString1=".nrw", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".obj") returned 4 [0067.421] lstrcmpiW (lpString1=".obj", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".odb") returned 4 [0067.421] lstrcmpiW (lpString1=".odb", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".odc") returned 4 [0067.421] lstrcmpiW (lpString1=".odc", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".odm") returned 4 [0067.421] lstrcmpiW (lpString1=".odm", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".odp") returned 4 [0067.421] lstrcmpiW (lpString1=".odp", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".ods") returned 4 [0067.421] lstrcmpiW (lpString1=".ods", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".oft") returned 4 [0067.421] lstrcmpiW (lpString1=".oft", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".one") returned 4 [0067.421] lstrcmpiW (lpString1=".one", lpString2="nbzr") returned -1 [0067.421] lstrlenW (lpString=".onepkg") returned 7 [0067.421] lstrcmpiW (lpString1=".onepkg", lpString2="].mnbzr") returned -1 [0067.421] lstrlenW (lpString=".onetoc2") returned 8 [0067.421] lstrcmpiW (lpString1=".onetoc2", lpString2="m].mnbzr") returned -1 [0067.421] lstrlenW (lpString=".opt") returned 4 [0067.422] lstrcmpiW (lpString1=".opt", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".oqy") returned 4 [0067.422] lstrcmpiW (lpString1=".oqy", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".orf") returned 4 [0067.422] lstrcmpiW (lpString1=".orf", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".p12") returned 4 [0067.422] lstrcmpiW (lpString1=".p12", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".p7b") returned 4 [0067.422] lstrcmpiW (lpString1=".p7b", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".p7c") returned 4 [0067.422] lstrcmpiW (lpString1=".p7c", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pam") returned 4 [0067.422] lstrcmpiW (lpString1=".pam", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pbm") returned 4 [0067.422] lstrcmpiW (lpString1=".pbm", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pct") returned 4 [0067.422] lstrcmpiW (lpString1=".pct", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pcx") returned 4 [0067.422] lstrcmpiW (lpString1=".pcx", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pdd") returned 4 [0067.422] lstrcmpiW (lpString1=".pdd", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pdf") returned 4 [0067.422] lstrcmpiW (lpString1=".pdf", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pdp") returned 4 [0067.422] lstrcmpiW (lpString1=".pdp", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pef") returned 4 [0067.422] lstrcmpiW (lpString1=".pef", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pem") returned 4 [0067.422] lstrcmpiW (lpString1=".pem", lpString2="nbzr") returned -1 [0067.422] lstrlenW (lpString=".pff") returned 4 [0067.422] lstrcmpiW (lpString1=".pff", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".pfm") returned 4 [0067.423] lstrcmpiW (lpString1=".pfm", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".pfx") returned 4 [0067.423] lstrcmpiW (lpString1=".pfx", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".pgm") returned 4 [0067.423] lstrcmpiW (lpString1=".pgm", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".php") returned 4 [0067.423] lstrcmpiW (lpString1=".php", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".php3") returned 5 [0067.423] lstrcmpiW (lpString1=".php3", lpString2="mnbzr") returned -1 [0067.423] lstrlenW (lpString=".php4") returned 5 [0067.423] lstrcmpiW (lpString1=".php4", lpString2="mnbzr") returned -1 [0067.423] lstrlenW (lpString=".php5") returned 5 [0067.423] lstrcmpiW (lpString1=".php5", lpString2="mnbzr") returned -1 [0067.423] lstrlenW (lpString=".phtml") returned 6 [0067.423] lstrcmpiW (lpString1=".phtml", lpString2=".mnbzr") returned 1 [0067.423] lstrlenW (lpString=".pict") returned 5 [0067.423] lstrcmpiW (lpString1=".pict", lpString2="mnbzr") returned -1 [0067.423] lstrlenW (lpString=".pl") returned 3 [0067.423] lstrcmpiW (lpString1=".pl", lpString2="bzr") returned -1 [0067.423] lstrlenW (lpString=".pls") returned 4 [0067.423] lstrcmpiW (lpString1=".pls", lpString2="nbzr") returned -1 [0067.423] lstrlenW (lpString=".pm") returned 3 [0067.423] lstrcmpiW (lpString1=".pm", lpString2="bzr") returned -1 [0067.424] lstrlenW (lpString=".png") returned 4 [0067.424] lstrcmpiW (lpString1=".png", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".pnm") returned 4 [0067.424] lstrcmpiW (lpString1=".pnm", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".pot") returned 4 [0067.424] lstrcmpiW (lpString1=".pot", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".potm") returned 5 [0067.424] lstrcmpiW (lpString1=".potm", lpString2="mnbzr") returned -1 [0067.424] lstrlenW (lpString=".potx") returned 5 [0067.424] lstrcmpiW (lpString1=".potx", lpString2="mnbzr") returned -1 [0067.424] lstrlenW (lpString=".ppa") returned 4 [0067.424] lstrcmpiW (lpString1=".ppa", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".ppam") returned 5 [0067.424] lstrcmpiW (lpString1=".ppam", lpString2="mnbzr") returned -1 [0067.424] lstrlenW (lpString=".ppm") returned 4 [0067.424] lstrcmpiW (lpString1=".ppm", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".pps") returned 4 [0067.424] lstrcmpiW (lpString1=".pps", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".ppsm") returned 5 [0067.424] lstrcmpiW (lpString1=".ppsm", lpString2="mnbzr") returned -1 [0067.424] lstrlenW (lpString=".ppt") returned 4 [0067.424] lstrcmpiW (lpString1=".ppt", lpString2="nbzr") returned -1 [0067.424] lstrlenW (lpString=".pptm") returned 5 [0067.424] lstrcmpiW (lpString1=".pptm", lpString2="mnbzr") returned -1 [0067.424] lstrlenW (lpString=".pptx") returned 5 [0067.425] lstrcmpiW (lpString1=".pptx", lpString2="mnbzr") returned -1 [0067.425] lstrlenW (lpString=".prn") returned 4 [0067.425] lstrcmpiW (lpString1=".prn", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".ps") returned 3 [0067.425] lstrcmpiW (lpString1=".ps", lpString2="bzr") returned -1 [0067.425] lstrlenW (lpString=".psb") returned 4 [0067.425] lstrcmpiW (lpString1=".psb", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".psd") returned 4 [0067.425] lstrcmpiW (lpString1=".psd", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".pst") returned 4 [0067.425] lstrcmpiW (lpString1=".pst", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".ptx") returned 4 [0067.425] lstrcmpiW (lpString1=".ptx", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".pub") returned 4 [0067.425] lstrcmpiW (lpString1=".pub", lpString2="nbzr") returned -1 [0067.425] lstrlenW (lpString=".pwm") returned 4 [0067.425] lstrcmpiW (lpString1=".pwm", lpString2="nbzr") returned -1 [0067.425] FindClose (in: hFindFile=0x2cf018 | out: hFindFile=0x2cf018) returned 1 [0067.425] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fa0048 | out: hHeap=0x240000) returned 1 [0067.425] FindNextFileW (in: hFindFile=0x29b3f8, lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x327f9c30, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x327f9c30, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0067.426] FindClose (in: hFindFile=0x29b3f8 | out: hFindFile=0x29b3f8) returned 1 [0067.426] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x32b2a20 | out: hHeap=0x240000) returned 1 [0067.426] FindNextFileW (in: hFindFile=0x2cef00, lpFindFileData=0x3a1fd00 | out: lpFindFileData=0x3a1fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x328b8310, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x328b8310, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0067.426] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x328b8310, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x328b8310, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x29b3f8 [0067.427] FindNextFileW (in: hFindFile=0x29b3f8, lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x328b8310, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x328b8310, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.428] FindNextFileW (in: hFindFile=0x29b3f8, lpFindFileData=0x3a1fa84 | out: lpFindFileData=0x3a1fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0067.448] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x3a1f808 | out: lpFindFileData=0x3a1f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0067.448] FindNextFileW (in: hFindFile=0x2cf018, lpFindFileData=0x3a1f808 | out: lpFindFileData=0x3a1f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0069.732] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0069.732] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0069.732] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0069.732] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0069.733] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99177d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x99177d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0069.733] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf01be3d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x99177d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0069.733] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0069.733] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0069.733] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0069.733] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.478] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b7fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.478] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4e37e00, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0070.478] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.478] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.478] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0070.478] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.485] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7941190, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.485] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2bd90c0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.XML", cAlternateFileName="")) returned 1 [0070.486] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.486] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.486] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Proofing.en-us", cAlternateFileName="PROOFI~1.EN-")) returned 1 [0070.486] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.486] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab640f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xab8a250, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.486] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00db300, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.XML", cAlternateFileName="")) returned 1 [0070.486] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.486] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.486] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="PROPLUSR", cAlternateFileName="")) returned 1 [0070.486] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.722] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6cd64f50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.722] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170fe40, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6cd64f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProPlusrWW.XML", cAlternateFileName="PROPLU~1.XML")) returned 1 [0070.723] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.723] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.723] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Publisher.en-us", cAlternateFileName="PUBLIS~1.EN-")) returned 1 [0070.723] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.723] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ba9ab90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1bc89d70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bc89d70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.723] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3e4630, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1ba9ab90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.XML", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0070.724] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.724] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.724] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cba0700, ftCreationTime.dwHighDateTime=0x1cb7664, ftLastAccessTime.dwLowDateTime=0xd78c2600, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8cba0700, ftLastWriteTime.dwHighDateTime=0x1cb7664, nFileSizeHigh=0x0, nFileSizeLow=0x150378, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0070.724] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.724] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b66320, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x50da17c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.724] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43bdc500, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x50da17c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0070.726] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.727] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.727] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="VISIOR", cAlternateFileName="")) returned 1 [0070.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.728] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83258520, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x84c615c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.728] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a6d3200, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x84c615c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0070.728] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.728] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.728] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 1 [0070.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*", lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0070.752] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.752] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe076d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0070.753] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0070.753] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40397b0 | out: hHeap=0x240000) returned 1 [0070.753] FindNextFileW (in: hFindFile=0x3fe24e0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e501370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e501370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e501370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3a1f1f4, cFileName="Word.en-us", cAlternateFileName="WORD~1.EN-")) returned 0 [0070.753] FindClose (in: hFindFile=0x3fe24e0 | out: hFindFile=0x3fe24e0) returned 1 [0070.753] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4004770 | out: hHeap=0x240000) returned 1 [0070.755] FindNextFileW (in: hFindFile=0x3fe2520, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5de00200, ftCreationTime.dwHighDateTime=0x1cac9ac, ftLastAccessTime.dwLowDateTime=0x6bc953f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5de00200, ftLastWriteTime.dwHighDateTime=0x1cac9ac, nFileSizeHigh=0x0, nFileSizeLow=0x2560, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0070.755] lstrlenW (lpString="OFFREL.DLL") returned 10 [0070.755] lstrlenW (lpString=".1cd") returned 4 [0070.755] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0070.755] lstrlenW (lpString=".3ds") returned 4 [0070.755] lstrcmpiW (lpString1=".3ds", lpString2=".DLL") returned -1 [0070.755] lstrlenW (lpString=".3fr") returned 4 [0070.755] lstrcmpiW (lpString1=".3fr", lpString2=".DLL") returned -1 [0070.755] lstrlenW (lpString=".3g2") returned 4 [0070.755] lstrcmpiW (lpString1=".3g2", lpString2=".DLL") returned -1 [0070.755] lstrlenW (lpString=".3gp") returned 4 [0070.755] lstrcmpiW (lpString1=".3gp", lpString2=".DLL") returned -1 [0070.755] lstrlenW (lpString=".7z") returned 3 [0070.755] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0070.755] lstrlenW (lpString=".accda") returned 6 [0070.756] lstrcmpiW (lpString1=".accda", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".accdb") returned 6 [0070.756] lstrcmpiW (lpString1=".accdb", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".accdc") returned 6 [0070.756] lstrcmpiW (lpString1=".accdc", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".accde") returned 6 [0070.756] lstrcmpiW (lpString1=".accde", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".accdt") returned 6 [0070.756] lstrcmpiW (lpString1=".accdt", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".accdw") returned 6 [0070.756] lstrcmpiW (lpString1=".accdw", lpString2="EL.DLL") returned -1 [0070.756] lstrlenW (lpString=".adb") returned 4 [0070.756] lstrcmpiW (lpString1=".adb", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".adp") returned 4 [0070.756] lstrcmpiW (lpString1=".adp", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai") returned 3 [0070.756] lstrcmpiW (lpString1=".ai", lpString2="DLL") returned -1 [0070.756] lstrlenW (lpString=".ai3") returned 4 [0070.756] lstrcmpiW (lpString1=".ai3", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai4") returned 4 [0070.756] lstrcmpiW (lpString1=".ai4", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai5") returned 4 [0070.756] lstrcmpiW (lpString1=".ai5", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai6") returned 4 [0070.756] lstrcmpiW (lpString1=".ai6", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai7") returned 4 [0070.756] lstrcmpiW (lpString1=".ai7", lpString2=".DLL") returned -1 [0070.756] lstrlenW (lpString=".ai8") returned 4 [0070.757] lstrcmpiW (lpString1=".ai8", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".anim") returned 5 [0070.757] lstrcmpiW (lpString1=".anim", lpString2="L.DLL") returned -1 [0070.757] lstrlenW (lpString=".arw") returned 4 [0070.757] lstrcmpiW (lpString1=".arw", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".as") returned 3 [0070.757] lstrcmpiW (lpString1=".as", lpString2="DLL") returned -1 [0070.757] lstrlenW (lpString=".asa") returned 4 [0070.757] lstrcmpiW (lpString1=".asa", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".asc") returned 4 [0070.757] lstrcmpiW (lpString1=".asc", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".ascx") returned 5 [0070.757] lstrcmpiW (lpString1=".ascx", lpString2="L.DLL") returned -1 [0070.757] lstrlenW (lpString=".asm") returned 4 [0070.757] lstrcmpiW (lpString1=".asm", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".asmx") returned 5 [0070.757] lstrcmpiW (lpString1=".asmx", lpString2="L.DLL") returned -1 [0070.757] lstrlenW (lpString=".asp") returned 4 [0070.757] lstrcmpiW (lpString1=".asp", lpString2=".DLL") returned -1 [0070.757] lstrlenW (lpString=".aspx") returned 5 [0070.769] lstrcmpiW (lpString1=".aspx", lpString2="L.DLL") returned -1 [0070.769] lstrlenW (lpString=".asr") returned 4 [0070.769] lstrcmpiW (lpString1=".asr", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".asx") returned 4 [0070.769] lstrcmpiW (lpString1=".asx", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".avi") returned 4 [0070.769] lstrcmpiW (lpString1=".avi", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".avs") returned 4 [0070.769] lstrcmpiW (lpString1=".avs", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".backup") returned 7 [0070.769] lstrcmpiW (lpString1=".backup", lpString2="REL.DLL") returned -1 [0070.769] lstrlenW (lpString=".bak") returned 4 [0070.769] lstrcmpiW (lpString1=".bak", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".bay") returned 4 [0070.769] lstrcmpiW (lpString1=".bay", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".bd") returned 3 [0070.769] lstrcmpiW (lpString1=".bd", lpString2="DLL") returned -1 [0070.769] lstrlenW (lpString=".bin") returned 4 [0070.769] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".bmp") returned 4 [0070.769] lstrcmpiW (lpString1=".bmp", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".bz2") returned 4 [0070.769] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".c") returned 2 [0070.769] lstrcmpiW (lpString1=".c", lpString2="LL") returned -1 [0070.769] lstrlenW (lpString=".cdr") returned 4 [0070.769] lstrcmpiW (lpString1=".cdr", lpString2=".DLL") returned -1 [0070.769] lstrlenW (lpString=".cer") returned 4 [0070.770] lstrcmpiW (lpString1=".cer", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".cf") returned 3 [0070.770] lstrcmpiW (lpString1=".cf", lpString2="DLL") returned -1 [0070.770] lstrlenW (lpString=".cfc") returned 4 [0070.770] lstrcmpiW (lpString1=".cfc", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".cfm") returned 4 [0070.770] lstrcmpiW (lpString1=".cfm", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".cfml") returned 5 [0070.770] lstrcmpiW (lpString1=".cfml", lpString2="L.DLL") returned -1 [0070.770] lstrlenW (lpString=".cfu") returned 4 [0070.770] lstrcmpiW (lpString1=".cfu", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".chm") returned 4 [0070.770] lstrcmpiW (lpString1=".chm", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".cin") returned 4 [0070.770] lstrcmpiW (lpString1=".cin", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".class") returned 6 [0070.770] lstrcmpiW (lpString1=".class", lpString2="EL.DLL") returned -1 [0070.770] lstrlenW (lpString=".clx") returned 4 [0070.770] lstrcmpiW (lpString1=".clx", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".config") returned 7 [0070.770] lstrcmpiW (lpString1=".config", lpString2="REL.DLL") returned -1 [0070.770] lstrlenW (lpString=".cpp") returned 4 [0070.770] lstrcmpiW (lpString1=".cpp", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".cr2") returned 4 [0070.770] lstrcmpiW (lpString1=".cr2", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".crt") returned 4 [0070.770] lstrcmpiW (lpString1=".crt", lpString2=".DLL") returned -1 [0070.770] lstrlenW (lpString=".crw") returned 4 [0070.770] lstrcmpiW (lpString1=".crw", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".cs") returned 3 [0070.771] lstrcmpiW (lpString1=".cs", lpString2="DLL") returned -1 [0070.771] lstrlenW (lpString=".css") returned 4 [0070.771] lstrcmpiW (lpString1=".css", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".csv") returned 4 [0070.771] lstrcmpiW (lpString1=".csv", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".cub") returned 4 [0070.771] lstrcmpiW (lpString1=".cub", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dae") returned 4 [0070.771] lstrcmpiW (lpString1=".dae", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dat") returned 4 [0070.771] lstrcmpiW (lpString1=".dat", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".db") returned 3 [0070.771] lstrcmpiW (lpString1=".db", lpString2="DLL") returned -1 [0070.771] lstrlenW (lpString=".dbf") returned 4 [0070.771] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dbx") returned 4 [0070.771] lstrcmpiW (lpString1=".dbx", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dc3") returned 4 [0070.771] lstrcmpiW (lpString1=".dc3", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dcm") returned 4 [0070.771] lstrcmpiW (lpString1=".dcm", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dcr") returned 4 [0070.771] lstrcmpiW (lpString1=".dcr", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".der") returned 4 [0070.771] lstrcmpiW (lpString1=".der", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dib") returned 4 [0070.771] lstrcmpiW (lpString1=".dib", lpString2=".DLL") returned -1 [0070.771] lstrlenW (lpString=".dic") returned 4 [0070.772] lstrcmpiW (lpString1=".dic", lpString2=".DLL") returned -1 [0070.772] lstrlenW (lpString=".dif") returned 4 [0070.772] lstrcmpiW (lpString1=".dif", lpString2=".DLL") returned -1 [0070.772] lstrlenW (lpString=".divx") returned 5 [0070.772] lstrcmpiW (lpString1=".divx", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".djvu") returned 5 [0070.772] lstrcmpiW (lpString1=".djvu", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".dng") returned 4 [0070.772] lstrcmpiW (lpString1=".dng", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".doc") returned 4 [0070.772] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".docm") returned 5 [0070.772] lstrcmpiW (lpString1=".docm", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".docx") returned 5 [0070.772] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".dot") returned 4 [0070.772] lstrcmpiW (lpString1=".dot", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".dotm") returned 5 [0070.772] lstrcmpiW (lpString1=".dotm", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".dotx") returned 5 [0070.772] lstrcmpiW (lpString1=".dotx", lpString2="L.DLL") returned -1 [0070.772] lstrlenW (lpString=".dpx") returned 4 [0070.772] lstrcmpiW (lpString1=".dpx", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".dqy") returned 4 [0070.772] lstrcmpiW (lpString1=".dqy", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".dsn") returned 4 [0070.772] lstrcmpiW (lpString1=".dsn", lpString2=".DLL") returned 1 [0070.772] lstrlenW (lpString=".dt") returned 3 [0070.773] lstrcmpiW (lpString1=".dt", lpString2="DLL") returned -1 [0070.773] lstrlenW (lpString=".dtd") returned 4 [0070.773] lstrcmpiW (lpString1=".dtd", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".dwg") returned 4 [0070.773] lstrcmpiW (lpString1=".dwg", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".dwt") returned 4 [0070.773] lstrcmpiW (lpString1=".dwt", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".dx") returned 3 [0070.773] lstrcmpiW (lpString1=".dx", lpString2="DLL") returned -1 [0070.773] lstrlenW (lpString=".dxf") returned 4 [0070.773] lstrcmpiW (lpString1=".dxf", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".edml") returned 5 [0070.773] lstrcmpiW (lpString1=".edml", lpString2="L.DLL") returned -1 [0070.773] lstrlenW (lpString=".efd") returned 4 [0070.773] lstrcmpiW (lpString1=".efd", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".elf") returned 4 [0070.773] lstrcmpiW (lpString1=".elf", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".emf") returned 4 [0070.773] lstrcmpiW (lpString1=".emf", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".emz") returned 4 [0070.773] lstrcmpiW (lpString1=".emz", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".epf") returned 4 [0070.773] lstrcmpiW (lpString1=".epf", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".eps") returned 4 [0070.773] lstrcmpiW (lpString1=".eps", lpString2=".DLL") returned 1 [0070.773] lstrlenW (lpString=".epsf") returned 5 [0070.773] lstrcmpiW (lpString1=".epsf", lpString2="L.DLL") returned -1 [0070.773] lstrlenW (lpString=".epsp") returned 5 [0070.773] lstrcmpiW (lpString1=".epsp", lpString2="L.DLL") returned -1 [0070.773] lstrlenW (lpString=".erf") returned 4 [0070.774] lstrcmpiW (lpString1=".erf", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".exr") returned 4 [0070.774] lstrcmpiW (lpString1=".exr", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".f4v") returned 4 [0070.774] lstrcmpiW (lpString1=".f4v", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".fido") returned 5 [0070.774] lstrcmpiW (lpString1=".fido", lpString2="L.DLL") returned -1 [0070.774] lstrlenW (lpString=".flm") returned 4 [0070.774] lstrcmpiW (lpString1=".flm", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".flv") returned 4 [0070.774] lstrcmpiW (lpString1=".flv", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".frm") returned 4 [0070.774] lstrcmpiW (lpString1=".frm", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".fxg") returned 4 [0070.774] lstrcmpiW (lpString1=".fxg", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".geo") returned 4 [0070.774] lstrcmpiW (lpString1=".geo", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".gif") returned 4 [0070.774] lstrcmpiW (lpString1=".gif", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".grs") returned 4 [0070.774] lstrcmpiW (lpString1=".grs", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".gz") returned 3 [0070.774] lstrcmpiW (lpString1=".gz", lpString2="DLL") returned -1 [0070.774] lstrlenW (lpString=".h") returned 2 [0070.774] lstrcmpiW (lpString1=".h", lpString2="LL") returned -1 [0070.774] lstrlenW (lpString=".hdr") returned 4 [0070.774] lstrcmpiW (lpString1=".hdr", lpString2=".DLL") returned 1 [0070.774] lstrlenW (lpString=".hpp") returned 4 [0070.775] lstrcmpiW (lpString1=".hpp", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".hta") returned 4 [0070.775] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".htc") returned 4 [0070.775] lstrcmpiW (lpString1=".htc", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".htm") returned 4 [0070.775] lstrcmpiW (lpString1=".htm", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".html") returned 5 [0070.775] lstrcmpiW (lpString1=".html", lpString2="L.DLL") returned -1 [0070.775] lstrlenW (lpString=".icb") returned 4 [0070.775] lstrcmpiW (lpString1=".icb", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".ics") returned 4 [0070.775] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".iff") returned 4 [0070.775] lstrcmpiW (lpString1=".iff", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".inc") returned 4 [0070.775] lstrcmpiW (lpString1=".inc", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".indd") returned 5 [0070.775] lstrcmpiW (lpString1=".indd", lpString2="L.DLL") returned -1 [0070.775] lstrlenW (lpString=".ini") returned 4 [0070.775] lstrcmpiW (lpString1=".ini", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".iqy") returned 4 [0070.775] lstrcmpiW (lpString1=".iqy", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".j2c") returned 4 [0070.775] lstrcmpiW (lpString1=".j2c", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".j2k") returned 4 [0070.775] lstrcmpiW (lpString1=".j2k", lpString2=".DLL") returned 1 [0070.775] lstrlenW (lpString=".java") returned 5 [0070.775] lstrcmpiW (lpString1=".java", lpString2="L.DLL") returned -1 [0070.775] lstrlenW (lpString=".jp2") returned 4 [0070.776] lstrcmpiW (lpString1=".jp2", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".jpc") returned 4 [0070.776] lstrcmpiW (lpString1=".jpc", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".jpe") returned 4 [0070.776] lstrcmpiW (lpString1=".jpe", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".jpeg") returned 5 [0070.776] lstrcmpiW (lpString1=".jpeg", lpString2="L.DLL") returned -1 [0070.776] lstrlenW (lpString=".jpf") returned 4 [0070.776] lstrcmpiW (lpString1=".jpf", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".jpg") returned 4 [0070.776] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".jpx") returned 4 [0070.776] lstrcmpiW (lpString1=".jpx", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".js") returned 3 [0070.776] lstrcmpiW (lpString1=".js", lpString2="DLL") returned -1 [0070.776] lstrlenW (lpString=".jsf") returned 4 [0070.776] lstrcmpiW (lpString1=".jsf", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".json") returned 5 [0070.776] lstrcmpiW (lpString1=".json", lpString2="L.DLL") returned -1 [0070.776] lstrlenW (lpString=".jsp") returned 4 [0070.776] lstrcmpiW (lpString1=".jsp", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".kdc") returned 4 [0070.776] lstrcmpiW (lpString1=".kdc", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".kmz") returned 4 [0070.776] lstrcmpiW (lpString1=".kmz", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".kwm") returned 4 [0070.776] lstrcmpiW (lpString1=".kwm", lpString2=".DLL") returned 1 [0070.776] lstrlenW (lpString=".lasso") returned 6 [0070.777] lstrcmpiW (lpString1=".lasso", lpString2="EL.DLL") returned -1 [0070.777] lstrlenW (lpString=".lbi") returned 4 [0070.777] lstrcmpiW (lpString1=".lbi", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".lgf") returned 4 [0070.777] lstrcmpiW (lpString1=".lgf", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".lgp") returned 4 [0070.777] lstrcmpiW (lpString1=".lgp", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".log") returned 4 [0070.777] lstrcmpiW (lpString1=".log", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".m1v") returned 4 [0070.777] lstrcmpiW (lpString1=".m1v", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".m4a") returned 4 [0070.777] lstrcmpiW (lpString1=".m4a", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".m4v") returned 4 [0070.777] lstrcmpiW (lpString1=".m4v", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".max") returned 4 [0070.777] lstrcmpiW (lpString1=".max", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".md") returned 3 [0070.777] lstrcmpiW (lpString1=".md", lpString2="DLL") returned -1 [0070.777] lstrlenW (lpString=".mda") returned 4 [0070.777] lstrcmpiW (lpString1=".mda", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".mdb") returned 4 [0070.777] lstrcmpiW (lpString1=".mdb", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".mde") returned 4 [0070.777] lstrcmpiW (lpString1=".mde", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".mdf") returned 4 [0070.777] lstrcmpiW (lpString1=".mdf", lpString2=".DLL") returned 1 [0070.777] lstrlenW (lpString=".mdw") returned 4 [0070.778] lstrcmpiW (lpString1=".mdw", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mef") returned 4 [0070.778] lstrcmpiW (lpString1=".mef", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mft") returned 4 [0070.778] lstrcmpiW (lpString1=".mft", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mfw") returned 4 [0070.778] lstrcmpiW (lpString1=".mfw", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mht") returned 4 [0070.778] lstrcmpiW (lpString1=".mht", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mhtml") returned 6 [0070.778] lstrcmpiW (lpString1=".mhtml", lpString2="EL.DLL") returned -1 [0070.778] lstrlenW (lpString=".mka") returned 4 [0070.778] lstrcmpiW (lpString1=".mka", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mkidx") returned 6 [0070.778] lstrcmpiW (lpString1=".mkidx", lpString2="EL.DLL") returned -1 [0070.778] lstrlenW (lpString=".mkv") returned 4 [0070.778] lstrcmpiW (lpString1=".mkv", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mos") returned 4 [0070.778] lstrcmpiW (lpString1=".mos", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mov") returned 4 [0070.778] lstrcmpiW (lpString1=".mov", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mp3") returned 4 [0070.778] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mp4") returned 4 [0070.778] lstrcmpiW (lpString1=".mp4", lpString2=".DLL") returned 1 [0070.778] lstrlenW (lpString=".mpeg") returned 5 [0070.778] lstrcmpiW (lpString1=".mpeg", lpString2="L.DLL") returned -1 [0070.778] lstrlenW (lpString=".mpg") returned 4 [0070.779] lstrcmpiW (lpString1=".mpg", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".mpv") returned 4 [0070.779] lstrcmpiW (lpString1=".mpv", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".mrw") returned 4 [0070.779] lstrcmpiW (lpString1=".mrw", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".msg") returned 4 [0070.779] lstrcmpiW (lpString1=".msg", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".mxl") returned 4 [0070.779] lstrcmpiW (lpString1=".mxl", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".myd") returned 4 [0070.779] lstrcmpiW (lpString1=".myd", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".myi") returned 4 [0070.779] lstrcmpiW (lpString1=".myi", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".nef") returned 4 [0070.779] lstrcmpiW (lpString1=".nef", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".nrw") returned 4 [0070.779] lstrcmpiW (lpString1=".nrw", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".obj") returned 4 [0070.779] lstrcmpiW (lpString1=".obj", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".odb") returned 4 [0070.779] lstrcmpiW (lpString1=".odb", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".odc") returned 4 [0070.779] lstrcmpiW (lpString1=".odc", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".odm") returned 4 [0070.779] lstrcmpiW (lpString1=".odm", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".odp") returned 4 [0070.779] lstrcmpiW (lpString1=".odp", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".ods") returned 4 [0070.779] lstrcmpiW (lpString1=".ods", lpString2=".DLL") returned 1 [0070.779] lstrlenW (lpString=".oft") returned 4 [0070.780] lstrcmpiW (lpString1=".oft", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".one") returned 4 [0070.780] lstrcmpiW (lpString1=".one", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".onepkg") returned 7 [0070.780] lstrcmpiW (lpString1=".onepkg", lpString2="REL.DLL") returned -1 [0070.780] lstrlenW (lpString=".onetoc2") returned 8 [0070.780] lstrcmpiW (lpString1=".onetoc2", lpString2="FREL.DLL") returned -1 [0070.780] lstrlenW (lpString=".opt") returned 4 [0070.780] lstrcmpiW (lpString1=".opt", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".oqy") returned 4 [0070.780] lstrcmpiW (lpString1=".oqy", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".orf") returned 4 [0070.780] lstrcmpiW (lpString1=".orf", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".p12") returned 4 [0070.780] lstrcmpiW (lpString1=".p12", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".p7b") returned 4 [0070.780] lstrcmpiW (lpString1=".p7b", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".p7c") returned 4 [0070.780] lstrcmpiW (lpString1=".p7c", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pam") returned 4 [0070.780] lstrcmpiW (lpString1=".pam", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pbm") returned 4 [0070.780] lstrcmpiW (lpString1=".pbm", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pct") returned 4 [0070.780] lstrcmpiW (lpString1=".pct", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pcx") returned 4 [0070.780] lstrcmpiW (lpString1=".pcx", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pdd") returned 4 [0070.780] lstrcmpiW (lpString1=".pdd", lpString2=".DLL") returned 1 [0070.780] lstrlenW (lpString=".pdf") returned 4 [0070.781] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pdp") returned 4 [0070.781] lstrcmpiW (lpString1=".pdp", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pef") returned 4 [0070.781] lstrcmpiW (lpString1=".pef", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pem") returned 4 [0070.781] lstrcmpiW (lpString1=".pem", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pff") returned 4 [0070.781] lstrcmpiW (lpString1=".pff", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pfm") returned 4 [0070.781] lstrcmpiW (lpString1=".pfm", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pfx") returned 4 [0070.781] lstrcmpiW (lpString1=".pfx", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".pgm") returned 4 [0070.781] lstrcmpiW (lpString1=".pgm", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".php") returned 4 [0070.781] lstrcmpiW (lpString1=".php", lpString2=".DLL") returned 1 [0070.781] lstrlenW (lpString=".php3") returned 5 [0070.781] lstrcmpiW (lpString1=".php3", lpString2="L.DLL") returned -1 [0070.781] lstrlenW (lpString=".php4") returned 5 [0070.781] lstrcmpiW (lpString1=".php4", lpString2="L.DLL") returned -1 [0070.781] lstrlenW (lpString=".php5") returned 5 [0070.781] lstrcmpiW (lpString1=".php5", lpString2="L.DLL") returned -1 [0070.781] lstrlenW (lpString=".phtml") returned 6 [0070.781] lstrcmpiW (lpString1=".phtml", lpString2="EL.DLL") returned -1 [0070.781] lstrlenW (lpString=".pict") returned 5 [0070.781] lstrcmpiW (lpString1=".pict", lpString2="L.DLL") returned -1 [0070.781] lstrlenW (lpString=".pl") returned 3 [0070.782] lstrcmpiW (lpString1=".pl", lpString2="DLL") returned -1 [0070.782] lstrlenW (lpString=".pls") returned 4 [0070.782] lstrcmpiW (lpString1=".pls", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".pm") returned 3 [0070.782] lstrcmpiW (lpString1=".pm", lpString2="DLL") returned -1 [0070.782] lstrlenW (lpString=".png") returned 4 [0070.782] lstrcmpiW (lpString1=".png", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".pnm") returned 4 [0070.782] lstrcmpiW (lpString1=".pnm", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".pot") returned 4 [0070.782] lstrcmpiW (lpString1=".pot", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".potm") returned 5 [0070.782] lstrcmpiW (lpString1=".potm", lpString2="L.DLL") returned -1 [0070.782] lstrlenW (lpString=".potx") returned 5 [0070.782] lstrcmpiW (lpString1=".potx", lpString2="L.DLL") returned -1 [0070.782] lstrlenW (lpString=".ppa") returned 4 [0070.782] lstrcmpiW (lpString1=".ppa", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".ppam") returned 5 [0070.782] lstrcmpiW (lpString1=".ppam", lpString2="L.DLL") returned -1 [0070.782] lstrlenW (lpString=".ppm") returned 4 [0070.782] lstrcmpiW (lpString1=".ppm", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".pps") returned 4 [0070.782] lstrcmpiW (lpString1=".pps", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".ppsm") returned 5 [0070.782] lstrcmpiW (lpString1=".ppsm", lpString2="L.DLL") returned -1 [0070.782] lstrlenW (lpString=".ppt") returned 4 [0070.782] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0070.782] lstrlenW (lpString=".pptm") returned 5 [0070.782] lstrcmpiW (lpString1=".pptm", lpString2="L.DLL") returned -1 [0070.783] lstrlenW (lpString=".pptx") returned 5 [0070.783] lstrcmpiW (lpString1=".pptx", lpString2="L.DLL") returned -1 [0070.783] lstrlenW (lpString=".prn") returned 4 [0070.783] lstrcmpiW (lpString1=".prn", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".ps") returned 3 [0070.783] lstrcmpiW (lpString1=".ps", lpString2="DLL") returned -1 [0070.783] lstrlenW (lpString=".psb") returned 4 [0070.783] lstrcmpiW (lpString1=".psb", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".psd") returned 4 [0070.783] lstrcmpiW (lpString1=".psd", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".pst") returned 4 [0070.783] lstrcmpiW (lpString1=".pst", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".ptx") returned 4 [0070.783] lstrcmpiW (lpString1=".ptx", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".pub") returned 4 [0070.783] lstrcmpiW (lpString1=".pub", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".pwm") returned 4 [0070.783] lstrcmpiW (lpString1=".pwm", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".pxr") returned 4 [0070.783] lstrcmpiW (lpString1=".pxr", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".py") returned 3 [0070.783] lstrcmpiW (lpString1=".py", lpString2="DLL") returned -1 [0070.783] lstrlenW (lpString=".qt") returned 3 [0070.783] lstrcmpiW (lpString1=".qt", lpString2="DLL") returned -1 [0070.783] lstrlenW (lpString=".r3d") returned 4 [0070.783] lstrcmpiW (lpString1=".r3d", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".raf") returned 4 [0070.783] lstrcmpiW (lpString1=".raf", lpString2=".DLL") returned 1 [0070.783] lstrlenW (lpString=".rar") returned 4 [0070.783] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0070.784] lstrlenW (lpString=".raw") returned 4 [0070.784] lstrcmpiW (lpString1=".raw", lpString2=".DLL") returned 1 [0070.784] FindClose (in: hFindFile=0x3fe2520 | out: hFindFile=0x3fe2520) returned 1 [0070.785] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4027798 | out: hHeap=0x240000) returned 1 [0070.785] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x3a1f58c | out: lpFindFileData=0x3a1f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0070.786] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2520 [0070.787] FindNextFileW (in: hFindFile=0x3fe2520, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.787] FindNextFileW (in: hFindFile=0x3fe2520, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x24500, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSPPC.DLL", cAlternateFileName="")) returned 1 [0088.233] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0088.233] FindNextFileW (in: hFindFile=0x3fe24a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff9cb700, ftCreationTime.dwHighDateTime=0x1c6a86d, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xff9cb700, ftLastWriteTime.dwHighDateTime=0x1c6a86d, nFileSizeHigh=0x0, nFileSizeLow=0x8b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTHOR.XSL", cAlternateFileName="")) returned 1 [0089.072] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51422110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.072] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec9eed00, ftCreationTime.dwHighDateTime=0x1ca5c5e, ftLastAccessTime.dwLowDateTime=0x51448270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xec9eed00, ftLastWriteTime.dwHighDateTime=0x1ca5c5e, nFileSizeHigh=0x0, nFileSizeLow=0x5cd04, dwReserved0=0x0, dwReserved1=0x0, cFileName="APA.XSL", cAlternateFileName="")) returned 1 [0089.073] FindClose (in: hFindFile=0x3fe25a0 | out: hFindFile=0x3fe25a0) returned 1 [0089.074] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x4024780 | out: hHeap=0x240000) returned 1 [0089.074] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51422110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0089.074] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.074] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fb02e0 | out: hHeap=0x240000) returned 1 [0089.074] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x3a1f58c | out: lpFindFileData=0x3a1f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0089.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\BORDERS\\*", lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe23a0 [0089.386] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58b4ce70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.386] FindNextFileW (in: hFindFile=0x3fe23a0, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e533000, ftCreationTime.dwHighDateTime=0x1bc8d39, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8e533000, ftLastWriteTime.dwHighDateTime=0x1bc8d39, nFileSizeHigh=0x0, nFileSizeLow=0x7df6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSART1.BDR", cAlternateFileName="")) returned 1 [0089.387] FindClose (in: hFindFile=0x3fe23a0 | out: hFindFile=0x3fe23a0) returned 1 [0089.388] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fb02e0 | out: hHeap=0x240000) returned 1 [0089.388] FindNextFileW (in: hFindFile=0x3fe2560, lpFindFileData=0x3a1f58c | out: lpFindFileData=0x3a1f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ee75d00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd248dbc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1ee75d00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x2d998, dwReserved0=0x0, dwReserved1=0x0, cFileName="BRTVIEW.DLL", cAlternateFileName="")) returned 1 [0089.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\CONVERT\\*", lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2660 [0090.185] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfff68b70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d547830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d547830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.185] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe7ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0092.790] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\*", lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2720 [0092.799] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.800] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3559c00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb3559c00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x140b, dwReserved0=0x0, dwReserved1=0x0, cFileName="BriefcaseIcon.jpg", cAlternateFileName="BRIEFC~1.JPG")) returned 1 [0092.801] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\*", lpFindFileData=0x3a1e920 | out: lpFindFileData=0x3a1e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x538bb350, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2760 [0092.802] FindNextFileW (in: hFindFile=0x3fe2760, lpFindFileData=0x3a1e920 | out: lpFindFileData=0x3a1e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x538bb350, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x538bb350, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.802] FindNextFileW (in: hFindFile=0x3fe2760, lpFindFileData=0x3a1e920 | out: lpFindFileData=0x3a1e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 1 [0092.802] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\*", lpFindFileData=0x3a1e6a4 | out: lpFindFileData=0x3a1e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe27e0 [0092.802] FindNextFileW (in: hFindFile=0x3fe27e0, lpFindFileData=0x3a1e6a4 | out: lpFindFileData=0x3a1e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.802] FindNextFileW (in: hFindFile=0x3fe27e0, lpFindFileData=0x3a1e6a4 | out: lpFindFileData=0x3a1e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Basic", cAlternateFileName="")) returned 1 [0092.802] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Basic\\*", lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe26e0 [0092.804] FindNextFileW (in: hFindFile=0x3fe26e0, lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6073a7d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.804] FindNextFileW (in: hFindFile=0x3fe26e0, lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0xced, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEFAULT.XSL", cAlternateFileName="")) returned 1 [0092.805] FindClose (in: hFindFile=0x3fe26e0 | out: hFindFile=0x3fe26e0) returned 1 [0092.805] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40797c0 | out: hHeap=0x240000) returned 1 [0092.805] FindNextFileW (in: hFindFile=0x3fe27e0, lpFindFileData=0x3a1e6a4 | out: lpFindFileData=0x3a1e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 1 [0092.805] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\*", lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe26e0 [0092.807] FindNextFileW (in: hFindFile=0x3fe26e0, lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.807] FindNextFileW (in: hFindFile=0x3fe26e0, lpFindFileData=0x3a1e428 | out: lpFindFileData=0x3a1e428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x16c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hierarchy.js", cAlternateFileName="HIERAR~1.JS")) returned 1 [0092.807] FindClose (in: hFindFile=0x3fe26e0 | out: hFindFile=0x3fe26e0) returned 1 [0092.808] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40797c0 | out: hHeap=0x240000) returned 1 [0092.808] FindNextFileW (in: hFindFile=0x3fe27e0, lpFindFileData=0x3a1e6a4 | out: lpFindFileData=0x3a1e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 0 [0092.808] FindClose (in: hFindFile=0x3fe27e0 | out: hFindFile=0x3fe27e0) returned 1 [0092.808] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40697b8 | out: hHeap=0x240000) returned 1 [0092.809] FindNextFileW (in: hFindFile=0x3fe2760, lpFindFileData=0x3a1e920 | out: lpFindFileData=0x3a1e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 0 [0092.809] FindClose (in: hFindFile=0x3fe2760 | out: hFindFile=0x3fe2760) returned 1 [0092.809] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3ff4768 | out: hHeap=0x240000) returned 1 [0092.809] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5b7f600, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5b7f600, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x4f0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectToolsetIconImages.jpg", cAlternateFileName="PROJEC~3.JPG")) returned 1 [0092.809] FindClose (in: hFindFile=0x3fe2720 | out: hFindFile=0x3fe2720) returned 1 [0092.809] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x41097d8 | out: hHeap=0x240000) returned 1 [0092.809] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 1 [0092.809] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\*", lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe2720 [0092.811] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0092.812] FindNextFileW (in: hFindFile=0x3fe2720, lpFindFileData=0x3a1eb9c | out: lpFindFileData=0x3a1eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbadd700, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbbadd700, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x10f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconImages.jpg", cAlternateFileName="ICONIM~1.JPG")) returned 1 [0092.812] FindClose (in: hFindFile=0x3fe2720 | out: hFindFile=0x3fe2720) returned 1 [0092.812] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x41097d8 | out: hHeap=0x240000) returned 1 [0092.812] FindNextFileW (in: hFindFile=0x3fe26a0, lpFindFileData=0x3a1ee18 | out: lpFindFileData=0x3a1ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 0 [0092.812] FindClose (in: hFindFile=0x3fe26a0 | out: hFindFile=0x3fe26a0) returned 1 [0092.812] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x40f97d0 | out: hHeap=0x240000) returned 1 [0092.817] FindNextFileW (in: hFindFile=0x3fe2620, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51174850, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0092.817] FindClose (in: hFindFile=0x3fe2620 | out: hFindFile=0x3fe2620) returned 1 [0092.817] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x3fb02e0 | out: hHeap=0x240000) returned 1 [0092.817] FindNextFileW (in: hFindFile=0x3fe2660, lpFindFileData=0x3a1f310 | out: lpFindFileData=0x3a1f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0092.817] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\*", lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3fe25a0 [0093.113] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0093.113] FindNextFileW (in: hFindFile=0x3fe25a0, lpFindFileData=0x3a1f094 | out: lpFindFileData=0x3a1f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcdf0400, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbcdf0400, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALERT.ICO", cAlternateFileName="")) returned 1 Thread: id = 20 os_tid = 0x804 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x36132000" os_pid = "0x304" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb04" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x488 [0064.852] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fa50 | out: lpSystemTimeAsFileTime=0x22fa50*(dwLowDateTime=0x31ae2330, dwHighDateTime=0x1d665ee)) [0064.852] GetCurrentProcessId () returned 0x304 [0064.853] GetCurrentThreadId () returned 0x488 [0064.853] GetTickCount () returned 0x1148373 [0064.853] QueryPerformanceCounter (in: lpPerformanceCount=0x22fa58 | out: lpPerformanceCount=0x22fa58*=18520689299) returned 1 [0064.854] GetModuleHandleW (lpModuleName=0x0) returned 0x4a910000 [0064.854] __set_app_type (_Type=0x1) [0064.854] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a937810) returned 0x0 [0064.854] __getmainargs (in: _Argc=0x4a95a608, _Argv=0x4a95a618, _Env=0x4a95a610, _DoWildCard=0, _StartInfo=0x4a93e0f4 | out: _Argc=0x4a95a608, _Argv=0x4a95a618, _Env=0x4a95a610) returned 0 [0064.854] GetCurrentThreadId () returned 0x488 [0064.854] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x488) returned 0x3c [0064.875] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0064.875] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0064.876] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0064.876] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0064.876] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22f9e8 | out: phkResult=0x22f9e8*=0x0) returned 0x2 [0064.876] VirtualQuery (in: lpAddress=0x22f9d0, lpBuffer=0x22f950, dwLength=0x30 | out: lpBuffer=0x22f950*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0064.876] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22f950, dwLength=0x30 | out: lpBuffer=0x22f950*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0064.876] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22f950, dwLength=0x30 | out: lpBuffer=0x22f950*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0064.876] VirtualQuery (in: lpAddress=0x134000, lpBuffer=0x22f950, dwLength=0x30 | out: lpBuffer=0x22f950*(BaseAddress=0x134000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0064.876] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22f950, dwLength=0x30 | out: lpBuffer=0x22f950*(BaseAddress=0x230000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0064.876] GetConsoleOutputCP () returned 0x1b5 [0064.877] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a94bfe0 | out: lpCPInfo=0x4a94bfe0) returned 1 [0064.877] SetConsoleCtrlHandler (HandlerRoutine=0x4a933184, Add=1) returned 1 [0064.877] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.877] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0064.877] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.877] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a93e194 | out: lpMode=0x4a93e194) returned 0 [0064.877] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.877] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a93e198 | out: lpMode=0x4a93e198) returned 0 [0064.878] GetEnvironmentStringsW () returned 0x2b8a60* [0064.878] GetProcessHeap () returned 0x2a0000 [0064.878] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xa7c) returned 0x2b94f0 [0064.878] FreeEnvironmentStringsW (penv=0x2b8a60) returned 1 [0064.878] GetProcessHeap () returned 0x2a0000 [0064.878] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x8) returned 0x2b88e0 [0064.878] GetEnvironmentStringsW () returned 0x2b8a60* [0064.878] GetProcessHeap () returned 0x2a0000 [0064.878] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xa7c) returned 0x2b9f80 [0064.878] FreeEnvironmentStringsW (penv=0x2b8a60) returned 1 [0064.878] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e8a8 | out: phkResult=0x22e8a8*=0x44) returned 0x0 [0064.878] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x18, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x1, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x1, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x0, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x40, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x40, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x40, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegCloseKey (hKey=0x44) returned 0x0 [0064.879] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22e8a8 | out: phkResult=0x22e8a8*=0x44) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x40, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x1, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x1, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x0, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x9, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x4, lpData=0x22e8c0*=0x9, lpcbData=0x22e8a4*=0x4) returned 0x0 [0064.879] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22e8a0, lpData=0x22e8c0, lpcbData=0x22e8a4*=0x1000 | out: lpType=0x22e8a0*=0x0, lpData=0x22e8c0*=0x9, lpcbData=0x22e8a4*=0x1000) returned 0x2 [0064.879] RegCloseKey (hKey=0x44) returned 0x0 [0064.879] time (in: timer=0x0 | out: timer=0x0) returned 0x5f21e84c [0064.879] srand (_Seed=0x5f21e84c) [0064.879] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0064.879] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0064.880] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a94c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.880] GetProcessHeap () returned 0x2a0000 [0064.880] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x218) returned 0x2baa10 [0064.880] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2baa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0064.880] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.880] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.880] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.880] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0064.880] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0064.880] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0064.880] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0064.880] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0064.880] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0064.880] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0064.881] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0064.881] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0064.881] GetProcessHeap () returned 0x2a0000 [0064.881] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b94f0 | out: hHeap=0x2a0000) returned 1 [0064.881] GetEnvironmentStringsW () returned 0x2b8a60* [0064.881] GetProcessHeap () returned 0x2a0000 [0064.881] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xa94) returned 0x2bac30 [0064.881] FreeEnvironmentStringsW (penv=0x2b8a60) returned 1 [0064.881] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.881] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0064.881] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0064.881] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0064.881] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0064.881] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0064.881] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0064.881] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0064.881] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0064.881] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0064.881] GetProcessHeap () returned 0x2a0000 [0064.881] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x5c) returned 0x2bb6d0 [0064.881] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f6b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.881] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x22f6b0, lpFilePart=0x22f690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22f690*="Desktop") returned 0x25 [0064.882] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.882] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f3c0 | out: lpFindFileData=0x22f3c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2bb740 [0064.882] FindClose (in: hFindFile=0x2bb740 | out: hFindFile=0x2bb740) returned 1 [0064.882] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x22f3c0 | out: lpFindFileData=0x22f3c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2bb740 [0064.882] FindClose (in: hFindFile=0x2bb740 | out: hFindFile=0x2bb740) returned 1 [0064.882] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0064.882] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x22f3c0 | out: lpFindFileData=0x22f3c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2627e960, ftLastAccessTime.dwHighDateTime=0x1d665ee, ftLastWriteTime.dwLowDateTime=0x2627e960, ftLastWriteTime.dwHighDateTime=0x1d665ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2bb740 [0064.882] FindClose (in: hFindFile=0x2bb740 | out: hFindFile=0x2bb740) returned 1 [0064.883] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0064.883] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0064.883] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0064.883] GetProcessHeap () returned 0x2a0000 [0064.883] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bac30 | out: hHeap=0x2a0000) returned 1 [0064.883] GetEnvironmentStringsW () returned 0x2bb740* [0064.883] GetProcessHeap () returned 0x2a0000 [0064.883] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xae8) returned 0x2bc230 [0064.883] FreeEnvironmentStringsW (penv=0x2bb740) returned 1 [0064.883] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a94c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.883] GetProcessHeap () returned 0x2a0000 [0064.883] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bb6d0 | out: hHeap=0x2a0000) returned 1 [0064.883] GetProcessHeap () returned 0x2a0000 [0064.883] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x4016) returned 0x2bcd20 [0064.883] GetProcessHeap () returned 0x2a0000 [0064.883] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bcd20 | out: hHeap=0x2a0000) returned 1 [0064.883] GetConsoleOutputCP () returned 0x1b5 [0064.884] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a94bfe0 | out: lpCPInfo=0x4a94bfe0) returned 1 [0064.884] GetUserDefaultLCID () returned 0x409 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a947b50, cchData=8 | out: lpLCData=":") returned 2 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f7c0, cchData=128 | out: lpLCData="0") returned 2 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f7c0, cchData=128 | out: lpLCData="0") returned 2 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f7c0, cchData=128 | out: lpLCData="1") returned 2 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a95a740, cchData=8 | out: lpLCData="/") returned 2 [0064.884] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a95a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a95a460, cchData=32 | out: lpLCData="Tue") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a95a420, cchData=32 | out: lpLCData="Wed") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a95a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a95a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a95a360, cchData=32 | out: lpLCData="Sat") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a95a700, cchData=32 | out: lpLCData="Sun") returned 4 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a947b40, cchData=8 | out: lpLCData=".") returned 2 [0064.885] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a95a4e0, cchData=8 | out: lpLCData=",") returned 2 [0064.885] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0064.886] GetProcessHeap () returned 0x2a0000 [0064.886] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x20c) returned 0x2b95c0 [0064.886] GetConsoleTitleW (in: lpConsoleTitle=0x2b95c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.886] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.886] GetFileType (hFile=0xf4) returned 0x3 [0064.886] BrandingFormatString () returned 0x2b97e0 [0064.893] GetVersion () returned 0x1db10106 [0064.893] _vsnwprintf (in: _Buffer=0x22f930, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x22f8c8 | out: _Buffer="6.1.7601") returned 8 [0064.893] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.893] GetFileType (hFile=0xf4) returned 0x3 [0064.893] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a956340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0064.893] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a956340, nSize=0x2000, Arguments=0x22f8d0 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0064.893] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.893] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0064.893] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x22f858, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f858*=0x24, lpOverlapped=0x0) returned 1 [0064.894] _vsnwprintf (in: _Buffer=0x4a956340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f8f8 | out: _Buffer="\r\n") returned 2 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] GetFileType (hFile=0xf4) returned 0x3 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0064.894] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f8c8, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f8c8*=0x2, lpOverlapped=0x0) returned 1 [0064.894] _vsnwprintf (in: _Buffer=0x4a956340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x22f8f8 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] GetFileType (hFile=0xf4) returned 0x3 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0064.894] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x22f8c8, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f8c8*=0x3f, lpOverlapped=0x0) returned 1 [0064.894] _vsnwprintf (in: _Buffer=0x4a956340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f8f8 | out: _Buffer="\r\n") returned 2 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] GetFileType (hFile=0xf4) returned 0x3 [0064.894] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.894] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0064.894] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f8c8, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f8c8*=0x2, lpOverlapped=0x0) returned 1 [0064.895] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0064.895] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0064.895] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0064.895] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0064.895] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.895] GetFileType (hFile=0xe8) returned 0x3 [0064.895] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0064.895] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x22f720 | out: TokenHandle=0x22f720*=0x0) returned 0xc000007c [0064.895] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x22f720 | out: TokenHandle=0x22f720*=0x50) returned 0x0 [0064.895] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x22f730, TokenInformationLength=0x4, ReturnLength=0x22f738 | out: TokenInformation=0x22f730, ReturnLength=0x22f738) returned 0x0 [0064.895] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x22f738, TokenInformationLength=0x4, ReturnLength=0x22f730 | out: TokenInformation=0x22f738, ReturnLength=0x22f730) returned 0x0 [0064.895] NtClose (Handle=0x50) returned 0x0 [0064.895] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x22f700, nSize=0x0, Arguments=0x22f708 | out: lpBuffer="韠+") returned 0xf [0064.895] GetProcessHeap () returned 0x2a0000 [0064.895] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x218) returned 0x2a1ab0 [0064.896] GetConsoleTitleW (in: lpConsoleTitle=0x22f750, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0064.896] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0064.896] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0064.897] GetProcessHeap () returned 0x2a0000 [0064.897] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2a1ab0 | out: hHeap=0x2a0000) returned 1 [0064.897] LocalFree (hMem=0x2b97e0) returned 0x0 [0064.897] GetProcessHeap () returned 0x2a0000 [0064.897] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2baa10 | out: hHeap=0x2a0000) returned 1 [0064.897] _vsnwprintf (in: _Buffer=0x4a956340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f438 | out: _Buffer="\r\n") returned 2 [0064.897] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.897] GetFileType (hFile=0xf4) returned 0x3 [0064.897] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.897] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0064.898] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f408*=0x2, lpOverlapped=0x0) returned 1 [0064.898] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0064.898] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a94c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0064.898] _vsnwprintf (in: _Buffer=0x4a93eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f448 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0064.898] _vsnwprintf (in: _Buffer=0x4a93ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x22f448 | out: _Buffer=">") returned 1 [0064.898] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.898] GetFileType (hFile=0xf4) returned 0x3 [0064.898] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.898] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0064.898] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x22f438, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f438*=0x26, lpOverlapped=0x0) returned 1 [0064.898] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.898] GetFileType (hFile=0xe8) returned 0x3 [0064.898] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.898] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.898] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.898] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0064.903] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.903] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.903] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.903] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0064.903] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.903] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.904] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0064.904] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.904] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.904] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.905] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0064.905] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.905] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.906] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.906] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.906] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.906] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.906] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.906] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.906] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0064.906] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.907] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.907] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0064.907] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.907] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.907] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0064.907] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.907] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.907] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0064.907] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0064.907] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.908] GetFileType (hFile=0xe8) returned 0x3 [0064.908] _get_osfhandle (_FileHandle=0) returned 0xe8 [0064.908] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0064.908] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.908] GetFileType (hFile=0xf4) returned 0x3 [0064.908] _get_osfhandle (_FileHandle=1) returned 0xf4 [0064.908] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0064.908] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x22f718, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f718*=0x18, lpOverlapped=0x0) returned 1 [0064.908] GetProcessHeap () returned 0x2a0000 [0064.908] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x4012) returned 0x2bcd20 [0064.908] GetProcessHeap () returned 0x2a0000 [0064.908] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bcd20 | out: hHeap=0x2a0000) returned 1 [0064.908] _wcsicmp (_String1="mode", _String2=")") returned 68 [0064.908] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0064.908] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0064.909] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0064.909] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0064.909] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0064.909] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0064.909] GetProcessHeap () returned 0x2a0000 [0064.909] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xb0) returned 0x2b97e0 [0064.909] GetProcessHeap () returned 0x2a0000 [0064.909] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1a) returned 0x2b4610 [0064.909] GetProcessHeap () returned 0x2a0000 [0064.909] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x38) returned 0x2b6510 [0064.910] GetConsoleOutputCP () returned 0x1b5 [0064.910] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a94bfe0 | out: lpCPInfo=0x4a94bfe0) returned 1 [0064.910] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0064.911] GetConsoleTitleW (in: lpConsoleTitle=0x22f6d0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0064.911] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0064.911] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0064.911] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0064.911] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0064.911] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0064.911] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0064.911] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0064.911] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0064.911] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0064.911] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0064.911] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0064.911] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0064.911] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0064.911] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0064.911] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0064.911] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0064.911] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0064.911] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0064.911] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0064.911] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0064.911] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0064.911] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0064.912] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0064.912] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0064.912] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0064.912] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0064.912] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0064.912] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0064.912] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0064.912] _wcsicmp (_String1="mode", _String2="START") returned -6 [0064.912] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0064.912] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0064.912] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0064.912] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0064.912] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0064.912] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0064.912] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0064.912] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0064.912] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0064.912] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0064.912] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0064.912] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0064.912] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0064.912] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0064.912] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0064.912] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0064.912] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0064.912] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0064.912] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0064.912] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0064.913] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0064.913] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0064.913] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0064.913] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0064.913] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0064.913] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0064.913] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0064.913] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0064.913] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0064.913] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0064.913] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0064.913] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0064.913] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0064.913] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0064.913] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0064.913] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0064.913] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0064.913] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0064.913] _wcsicmp (_String1="mode", _String2="START") returned -6 [0064.913] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0064.913] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0064.913] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0064.913] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0064.913] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0064.913] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0064.913] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0064.913] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0064.913] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0064.913] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0064.913] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0064.913] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0064.913] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0064.914] GetProcessHeap () returned 0x2a0000 [0064.914] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x218) returned 0x2a1ab0 [0064.914] GetProcessHeap () returned 0x2a0000 [0064.914] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x42) returned 0x2b98a0 [0064.914] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0064.914] GetProcessHeap () returned 0x2a0000 [0064.914] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x420) returned 0x2b9a80 [0064.914] SetErrorMode (uMode=0x0) returned 0x0 [0064.914] SetErrorMode (uMode=0x1) returned 0x0 [0064.914] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2b9a90, lpFilePart=0x22ef60 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22ef60*="Desktop") returned 0x25 [0064.914] SetErrorMode (uMode=0x0) returned 0x1 [0064.914] GetProcessHeap () returned 0x2a0000 [0064.914] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9a80, Size=0x66) returned 0x2b9a80 [0064.915] GetProcessHeap () returned 0x2a0000 [0064.915] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9a80) returned 0x66 [0064.915] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0064.915] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0064.915] GetProcessHeap () returned 0x2a0000 [0064.915] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x128) returned 0x2a1cd0 [0064.915] GetProcessHeap () returned 0x2a0000 [0064.915] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x240) returned 0x2b9b00 [0064.922] GetProcessHeap () returned 0x2a0000 [0064.922] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9b00, Size=0x12a) returned 0x2b9b00 [0064.922] GetProcessHeap () returned 0x2a0000 [0064.922] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9b00) returned 0x12a [0064.922] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0064.922] GetProcessHeap () returned 0x2a0000 [0064.922] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xe8) returned 0x2b5b70 [0064.922] GetProcessHeap () returned 0x2a0000 [0064.922] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b5b70, Size=0x7e) returned 0x2b5b70 [0064.922] GetProcessHeap () returned 0x2a0000 [0064.922] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b5b70) returned 0x7e [0064.924] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0064.924] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0xffffffffffffffff [0064.924] GetLastError () returned 0x2 [0064.924] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0xffffffffffffffff [0064.924] GetLastError () returned 0x2 [0064.925] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0064.925] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0x2b5c00 [0064.925] GetProcessHeap () returned 0x2a0000 [0064.925] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x28) returned 0x2b4640 [0064.925] FindClose (in: hFindFile=0x2b5c00 | out: hFindFile=0x2b5c00) returned 1 [0064.925] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0x2b5c00 [0064.925] GetProcessHeap () returned 0x2a0000 [0064.925] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b4640, Size=0x8) returned 0x2b98f0 [0064.925] FindClose (in: hFindFile=0x2b5c00 | out: hFindFile=0x2b5c00) returned 1 [0064.925] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0064.925] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0064.925] GetConsoleTitleW (in: lpConsoleTitle=0x22f220, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0064.926] GetProcessHeap () returned 0x2a0000 [0064.926] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x21c) returned 0x2b9c40 [0064.926] GetConsoleTitleW (in: lpConsoleTitle=0x2b9c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0064.926] GetProcessHeap () returned 0x2a0000 [0064.926] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9c40, Size=0xa8) returned 0x2b9c40 [0064.926] GetProcessHeap () returned 0x2a0000 [0064.926] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9c40) returned 0xa8 [0064.926] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0064.927] GetProcessHeap () returned 0x2a0000 [0064.927] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b9c40 | out: hHeap=0x2a0000) returned 1 [0064.927] InitializeProcThreadAttributeList (in: lpAttributeList=0x22efd8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ef98 | out: lpAttributeList=0x22efd8, lpSize=0x22ef98) returned 1 [0064.927] UpdateProcThreadAttribute (in: lpAttributeList=0x22efd8, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ef88, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22efd8, lpPreviousValue=0x0) returned 1 [0064.927] GetStartupInfoW (in: lpStartupInfo=0x22f0f0 | out: lpStartupInfo=0x22f0f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0064.927] GetProcessHeap () returned 0x2a0000 [0064.927] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x20) returned 0x2b4640 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0064.928] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.929] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0064.929] GetProcessHeap () returned 0x2a0000 [0064.929] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b4640 | out: hHeap=0x2a0000) returned 1 [0064.929] GetProcessHeap () returned 0x2a0000 [0064.929] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x12) returned 0x2b8900 [0064.929] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x22f010*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22efc0 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x22efc0*(hProcess=0x54, hThread=0x50, dwProcessId=0x754, dwThreadId=0x4fc)) returned 1 [0064.939] CloseHandle (hObject=0x50) returned 1 [0064.939] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0064.939] GetProcessHeap () returned 0x2a0000 [0064.939] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bc230 | out: hHeap=0x2a0000) returned 1 [0064.939] GetEnvironmentStringsW () returned 0x2baa10* [0064.939] GetProcessHeap () returned 0x2a0000 [0064.939] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xae8) returned 0x2bb500 [0064.939] FreeEnvironmentStringsW (penv=0x2baa10) returned 1 [0064.940] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77a60000 [0064.940] GetProcAddress (hModule=0x77a60000, lpProcName="NtQueryInformationProcess") returned 0x77ab14a0 [0064.940] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x22e8c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x22e8c8, ReturnLength=0x0) returned 0x0 [0064.940] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffde000, lpBuffer=0x22e900, nSize=0x380, lpNumberOfBytesRead=0x22e8c0 | out: lpBuffer=0x22e900*, lpNumberOfBytesRead=0x22e8c0*=0x380) returned 1 [0064.940] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0066.988] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x22ef08 | out: lpExitCode=0x22ef08*=0x0) returned 1 [0066.988] CloseHandle (hObject=0x54) returned 1 [0066.988] _vsnwprintf (in: _Buffer=0x22f178, _BufferCount=0x13, _Format="%08X", _ArgList=0x22ef18 | out: _Buffer="00000000") returned 8 [0066.988] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0066.988] GetProcessHeap () returned 0x2a0000 [0066.988] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bb500 | out: hHeap=0x2a0000) returned 1 [0066.988] GetEnvironmentStringsW () returned 0x2baa10* [0066.988] GetProcessHeap () returned 0x2a0000 [0066.988] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xb0e) returned 0x2beb10 [0066.988] FreeEnvironmentStringsW (penv=0x2baa10) returned 1 [0066.988] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0066.988] GetProcessHeap () returned 0x2a0000 [0066.988] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2beb10 | out: hHeap=0x2a0000) returned 1 [0066.988] GetEnvironmentStringsW () returned 0x2baa10* [0066.988] GetProcessHeap () returned 0x2a0000 [0066.988] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xb0e) returned 0x2beb10 [0066.988] FreeEnvironmentStringsW (penv=0x2baa10) returned 1 [0066.988] GetProcessHeap () returned 0x2a0000 [0066.988] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b8900 | out: hHeap=0x2a0000) returned 1 [0066.988] DeleteProcThreadAttributeList (in: lpAttributeList=0x22efd8 | out: lpAttributeList=0x22efd8) [0066.992] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0066.992] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.992] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0066.992] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.992] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a93e194 | out: lpMode=0x4a93e194) returned 0 [0066.993] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.993] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a93e198 | out: lpMode=0x4a93e198) returned 0 [0066.993] GetConsoleOutputCP () returned 0x4e3 [0066.993] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a94bfe0 | out: lpCPInfo=0x4a94bfe0) returned 1 [0066.993] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b5b70 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b9b00 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2a1cd0 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b9a80 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b98a0 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2a1ab0 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b6510 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b4610 | out: hHeap=0x2a0000) returned 1 [0066.994] GetProcessHeap () returned 0x2a0000 [0066.994] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b97e0 | out: hHeap=0x2a0000) returned 1 [0066.994] _vsnwprintf (in: _Buffer=0x4a956340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x22f438 | out: _Buffer="\r\n") returned 2 [0066.994] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.994] GetFileType (hFile=0xf4) returned 0x3 [0066.994] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.994] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0066.994] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x22f408, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f408*=0x2, lpOverlapped=0x0) returned 1 [0066.994] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0066.994] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a94c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0066.995] _vsnwprintf (in: _Buffer=0x4a93eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x22f448 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0066.995] _vsnwprintf (in: _Buffer=0x4a93ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x22f448 | out: _Buffer=">") returned 1 [0066.995] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.995] GetFileType (hFile=0xf4) returned 0x3 [0066.995] _get_osfhandle (_FileHandle=1) returned 0xf4 [0066.995] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0066.995] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x22f438, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f438*=0x26, lpOverlapped=0x0) returned 1 [0066.995] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.995] GetFileType (hFile=0xe8) returned 0x3 [0066.995] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.995] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.995] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.995] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0066.995] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.995] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.995] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.995] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0066.995] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.995] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0066.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0066.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.998] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0066.998] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.998] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.998] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.999] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0066.999] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.999] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.999] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0066.999] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.999] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.999] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0066.999] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.999] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.999] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0066.999] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.999] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0066.999] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0066.999] _get_osfhandle (_FileHandle=0) returned 0xe8 [0066.999] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0066.999] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.000] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0067.000] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.000] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.000] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.000] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0067.000] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.000] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.000] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.000] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0067.000] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.000] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.000] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.000] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0067.000] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.000] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.000] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.000] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0067.000] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.000] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.001] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.001] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0067.001] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.001] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.001] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.001] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0067.001] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.001] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.001] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.001] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0067.001] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.001] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.001] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.001] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0067.001] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.001] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.001] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.001] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0067.001] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.001] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.002] ReadFile (in: hFile=0xe8, lpBuffer=0x4a94c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f738, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesRead=0x22f738*=0x1, lpOverlapped=0x0) returned 1 [0067.002] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a94c320, cbMultiByte=1, lpWideCharStr=0x4a94e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0067.002] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.002] GetFileType (hFile=0xe8) returned 0x3 [0067.002] _get_osfhandle (_FileHandle=0) returned 0xe8 [0067.002] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0067.002] _get_osfhandle (_FileHandle=1) returned 0xf4 [0067.002] GetFileType (hFile=0xf4) returned 0x3 [0067.002] _get_osfhandle (_FileHandle=1) returned 0xf4 [0067.002] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a94c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0067.002] WriteFile (in: hFile=0xf4, lpBuffer=0x4a94c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x22f718, lpOverlapped=0x0 | out: lpBuffer=0x4a94c320*, lpNumberOfBytesWritten=0x22f718*=0x24, lpOverlapped=0x0) returned 1 [0067.002] GetProcessHeap () returned 0x2a0000 [0067.002] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x4012) returned 0x2bf630 [0067.003] GetProcessHeap () returned 0x2a0000 [0067.003] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2bf630 | out: hHeap=0x2a0000) returned 1 [0067.003] GetProcessHeap () returned 0x2a0000 [0067.003] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xb0) returned 0x2b97e0 [0067.003] GetProcessHeap () returned 0x2a0000 [0067.003] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x22) returned 0x2b4610 [0067.003] GetProcessHeap () returned 0x2a0000 [0067.004] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x48) returned 0x2baa90 [0067.004] GetConsoleOutputCP () returned 0x4e3 [0067.004] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a94bfe0 | out: lpCPInfo=0x4a94bfe0) returned 1 [0067.004] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0067.004] GetConsoleTitleW (in: lpConsoleTitle=0x22f6d0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0067.004] GetProcessHeap () returned 0x2a0000 [0067.004] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x218) returned 0x2b9910 [0067.004] GetProcessHeap () returned 0x2a0000 [0067.004] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x5a) returned 0x2b9b30 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x420) returned 0x2b9090 [0067.005] SetErrorMode (uMode=0x0) returned 0x0 [0067.005] SetErrorMode (uMode=0x1) returned 0x0 [0067.005] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2b90a0, lpFilePart=0x22ef60 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x22ef60*="Desktop") returned 0x25 [0067.005] SetErrorMode (uMode=0x0) returned 0x1 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9090, Size=0x6e) returned 0x2b9090 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9090) returned 0x6e [0067.005] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.005] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x128) returned 0x2b5b70 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x240) returned 0x2a1ab0 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2a1ab0, Size=0x12a) returned 0x2a1ab0 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2a1ab0) returned 0x12a [0067.005] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a93f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xe8) returned 0x2b9db0 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9db0, Size=0x7e) returned 0x2b9db0 [0067.005] GetProcessHeap () returned 0x2a0000 [0067.005] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9db0) returned 0x7e [0067.005] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.006] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0xffffffffffffffff [0067.006] GetLastError () returned 0x2 [0067.006] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0xffffffffffffffff [0067.006] GetLastError () returned 0x2 [0067.006] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.006] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0x2b9ba0 [0067.006] FindClose (in: hFindFile=0x2b9ba0 | out: hFindFile=0x2b9ba0) returned 1 [0067.006] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0xffffffffffffffff [0067.006] GetLastError () returned 0x2 [0067.006] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x22ecd0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22ecd0) returned 0x2b9ba0 [0067.007] FindClose (in: hFindFile=0x2b9ba0 | out: hFindFile=0x2b9ba0) returned 1 [0067.007] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0067.007] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0067.007] GetConsoleTitleW (in: lpConsoleTitle=0x22f220, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0067.007] GetProcessHeap () returned 0x2a0000 [0067.007] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x21c) returned 0x2b9110 [0067.007] GetConsoleTitleW (in: lpConsoleTitle=0x2b9120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0067.007] GetProcessHeap () returned 0x2a0000 [0067.007] RtlReAllocateHeap (Heap=0x2a0000, Flags=0x0, Ptr=0x2b9110, Size=0xc0) returned 0x2b9110 [0067.007] GetProcessHeap () returned 0x2a0000 [0067.007] RtlSizeHeap (HeapHandle=0x2a0000, Flags=0x0, MemoryPointer=0x2b9110) returned 0xc0 [0067.007] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0067.008] GetProcessHeap () returned 0x2a0000 [0067.008] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b9110 | out: hHeap=0x2a0000) returned 1 [0067.008] InitializeProcThreadAttributeList (in: lpAttributeList=0x22efd8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22ef98 | out: lpAttributeList=0x22efd8, lpSize=0x22ef98) returned 1 [0067.008] UpdateProcThreadAttribute (in: lpAttributeList=0x22efd8, dwFlags=0x0, Attribute=0x60001, lpValue=0x22ef88, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22efd8, lpPreviousValue=0x0) returned 1 [0067.008] GetStartupInfoW (in: lpStartupInfo=0x22f0f0 | out: lpStartupInfo=0x22f0f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0067.008] GetProcessHeap () returned 0x2a0000 [0067.008] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x20) returned 0x2b4640 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0067.008] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0067.009] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0067.009] GetProcessHeap () returned 0x2a0000 [0067.009] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2b4640 | out: hHeap=0x2a0000) returned 1 [0067.009] GetProcessHeap () returned 0x2a0000 [0067.009] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x12) returned 0x2b8900 [0067.009] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x22f010*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22efc0 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x22efc0*(hProcess=0x50, hThread=0x54, dwProcessId=0x814, dwThreadId=0x824)) returned 1 [0067.018] CloseHandle (hObject=0x54) returned 1 [0067.018] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0067.018] GetProcessHeap () returned 0x2a0000 [0067.018] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2beb10 | out: hHeap=0x2a0000) returned 1 [0067.018] GetEnvironmentStringsW () returned 0x2beb10* [0067.018] GetProcessHeap () returned 0x2a0000 [0067.018] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xb0e) returned 0x2bf630 [0067.018] FreeEnvironmentStringsW (penv=0x2beb10) returned 1 [0067.018] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x22e8c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x22e8c8, ReturnLength=0x0) returned 0x0 [0067.018] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd4000, lpBuffer=0x22e900, nSize=0x380, lpNumberOfBytesRead=0x22e8c0 | out: lpBuffer=0x22e900*, lpNumberOfBytesRead=0x22e8c0*=0x380) returned 1 [0067.018] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x33e17000" os_pid = "0x754" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x304" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x4fc Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x2f228000" os_pid = "0x814" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x304" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0x824 Thread: id = 22 os_tid = 0x854 Thread: id = 23 os_tid = 0x864 Thread: id = 24 os_tid = 0x874 Thread: id = 25 os_tid = 0x884 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x2d42a000" os_pid = "0x894" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005a5a8" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 26 os_tid = 0x8f8 Thread: id = 27 os_tid = 0x8e8 Thread: id = 28 os_tid = 0x8d8 [0079.470] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xf9d5e0 | out: lpSystemTimeAsFileTime=0xf9d5e0*(dwLowDateTime=0x37df76f0, dwHighDateTime=0x1d665ee)) [0079.470] GetCurrentProcessId () returned 0x894 [0079.470] GetCurrentThreadId () returned 0x8d8 [0079.470] GetTickCount () returned 0x114ac08 [0079.470] QueryPerformanceCounter (in: lpPerformanceCount=0xf9d5e8 | out: lpPerformanceCount=0xf9d5e8*=19982401189) returned 1 [0079.470] malloc (_Size=0x100) returned 0x5d8e80 Thread: id = 29 os_tid = 0x8c8 Thread: id = 30 os_tid = 0x8b8 Thread: id = 31 os_tid = 0x8a4 Thread: id = 32 os_tid = 0x908 Thread: id = 47 os_tid = 0x978 Thread: id = 54 os_tid = 0xae0 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 33 os_tid = 0x314 Thread: id = 34 os_tid = 0x6f4 Thread: id = 35 os_tid = 0x768 Thread: id = 36 os_tid = 0x764 Thread: id = 37 os_tid = 0x758 Thread: id = 38 os_tid = 0x724 Thread: id = 39 os_tid = 0x718 Thread: id = 40 os_tid = 0x714 Thread: id = 41 os_tid = 0x630 Thread: id = 42 os_tid = 0x154 Thread: id = 43 os_tid = 0x150 Thread: id = 44 os_tid = 0x120 Thread: id = 45 os_tid = 0x118 Thread: id = 46 os_tid = 0xf0 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2da2f000" os_pid = "0x918" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ad64" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 48 os_tid = 0x988 Thread: id = 49 os_tid = 0x968 Thread: id = 50 os_tid = 0x958 Thread: id = 51 os_tid = 0x948 Thread: id = 52 os_tid = 0x938 Thread: id = 53 os_tid = 0x928